This Privacy Policy (“Privacy Policy”) describes how Vori Health, Inc. (“Vori Health”) collectively referred to as “we,” “our,” and “us” in this Privacy Policy, collect and use personal information from and about you when you use the Vori Health website [https://www.Vorihealth.com] and mobile application(s) (collectively, the “Website”), and/or when you communicate with Vori Health by e-mail, text message, telephone conversation, chat, or other means of communicating electronically or by voice or video.
Through the Website, we make certain information available to you regarding in-person and remote musculoskeletal care and facilitate your access to telemedicine and expert medical services (the “Services”) provided by Vori Health Medical Group, PLLC (the “PLLC”). Vori Health understands that privacy of information is of great importance to our Visitors.
We collect information that personally identifies you, such as your name, telephone number, email address, date of birth, data generated by sensors in the devices you use to access the Services and other data which can be reasonably linked to such information (“Personal Information”) only if you choose to share such information with us. For example, you will be required to provide us with certain Personal Information to register for the Services, sign up for certain features available through the Services (such as push notifications, text messages and other communications services which may offer you the ability to share information with third parties, such as health care professionals), and at other times. The decision to provide this information is optional; however, if you decide not to register or provide such information, you may not be able to use some or all of the features of the Services. Further, Vori Health may offer location-enabled services, for example to locate a nearby doctor or pharmacy. If you use those services, Vori Health may receive information about your actual location (such as GPS signals sent by a mobile device) or information that can be used to approximate a location (such as a cell ID). You will have the option to disable collection and use of location information. However, doing so may prevent you from using some features of the Services, or limit the function of some features.
Vori Health offers you the ability to share your Health Information with the PLLC in connection with the Services. “Health Information” includes both Protected Health Information and Additional Health Information. “Protected Health Information” or “PHI” is personally identifiable information which relates to your health or payment for your healthcare services that is created or received by an entity covered under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (“HIPAA”), such as Vori Health as a business associate of the PLLC, and the PLLC, as a covered entity under HIPAA. Protected Health Information includes the combination of your Personal Information and personal health information, such as medical records, medical history and/or information regarding a condition or treatment (e.g. information about symptoms, prescriptions, allergies, diagnoses and outcomes or side effects of treatment). “Additional Health Information” is any and all other personal health information that is not Protected Health Information, generally because such information was not created or received by a HIPAA-covered entity.
When you use the Services, you expressly authorize the sharing of your Health Information with anyone whom is part of your Services team and is also a user of the Services, which may include your healthcare professional(s).
If you allow someone to access your account, you do so at your sole risk and may risk exposing your Health Information. Vori Health does not know and cannot control how anyone else to whom you give access to your account and/or with whom you share your Health Information may use your Health Information or account. Health Information you provide to others may not be protected, kept private, or be secure. You are solely responsible for all use of your account, by yourself or anyone whom you permit to use it. Vori Health will not be liable for any disclosure or use of Health Information or other information by you or anyone using your account with your permission.
You should not upload any Health Information regarding any person other than yourself without that person’s prior express consent. You must obtain the consent of your family member or any other person before you submit or share Health Information about that person. By submitting or sharing Health Information about a family member or anyone else, you represent and warrant that you have obtained that person’s express consent to do so or that you otherwise have the legal authority to do so (e.g., because that person is a minor and you are the parent or legal guardian).
This Privacy Policy also applies to information collected from Visitors after they register and log-in ("Members") to the password protected and secure portions of our website and mobile application ("Secure Platforms"). These Secure Platforms allow Members to utilize the Services provided by the PLLC.
This Privacy Policy details how we may use, share and maintain any information that you provide to us or to the PLLC. Vori Health's role is limited to making such information available to you and/or facilitate your access to the Services, on behalf of the PLLC as its “business associate” as that term is defined under HIPAA. Vori Health is independent from the PLLC and the healthcare providers that may provide you with Services through the PLLC. Vori Health is not responsible for the PLLC’s acts, omissions or for any content of the communications made by them to you. Vori Health does not engage in the practice of medicine or provide any health services to you. Vori Health provides certain business associate services to the PLLC.
Any Health Information stored and collected by Vori Health or added by Members into such Secure Platforms is identifiable, PHI and therefore governed by HIPAA. How the PLLC uses and discloses such PHI shall be in accordance with the PLLC’s Notice of Privacy Practices For example, if you have consented to importing data from your healthcare provider into the Secure Platform, you should review the PLLC’s Notice of Privacy Practices to understand how the PLLC will use and disclose such PHI.
Your access and use of the Website and Secure Platforms are subject to your agreement with this Privacy Policy and the Website Terms of Use. By using the Website, you expressly agree to the terms of this Privacy Policy and consent to the collection and use of information as discussed in this Privacy Policy.
If you do not agree with this Privacy Policy, please do not use or access the Website for any purpose. Please print a copy of this Privacy Policy for your records.
Vori Health may revise this Privacy Policy regarding the collection of information at any time. Should this Privacy Policy change materially, Vori Health will give notice to you by posting a notice regarding the new policy on the Website. The revised Privacy Policy will be effective as of its posting unless otherwise stated.
By accessing or using the Website after such changes are posted you agree to all such changes.
Vori Health provides you with an appropriate notice, this document, of the potential uses and disclosures of your PHI. Vori Health provides notice to you of our privacy practices on our website, and you have agreed to receive information from us via our website. We may also provide this information to you by email unless you notify us that you withdraw do not agree to such email communication.
Collection, Use and Disclosure of Your Information Procedure
You may withdraw your agreement to have Vori Health provide documents to you regarding the collection, use and disclosure of your information by contacting the Vori Health Chief Privacy Officer at [email protected].
Either Vori Health or a third-party vendor on behalf of Vori Health may automatically collect information while Visitors browse the Website. We may collect such information by tracking, or asking a third-party vendor to track, your click-stream activity when such information is not tied to a user ID through the use of "cookie" technology or by tracking internet protocol (IP) addresses, as explained below.
Because we want our Website to better serve Visitors' needs, we collect some basic information about Visitors and their devices, including, but not limited to:
We use this Information to provide you with the Services, to enhance and improve our Website and to better serve our Visitors' needs. For example, we use this Information to know what browsers people most commonly use, what pages are most often visited, and what functionality is most used. Some of the Information we collect from Visitors, such as IP Address, may be considered identifiable Personal Information. Additionally, there are times on our Website that Visitors are able to voluntarily submit Personal Information, such as their name, phone number, and/or email address in order to obtain more information from Vori Health. We may remove personal identifiers from your Personal Information and maintain and use it in a de-identified form ("De-Identifiable Information"). De-Identifiable Information and Personal Information are collectively referred to throughout this Privacy Policy as "Information".
The Information collected from Visitors on our Website may be shared with our suppliers and vendors and used in the aggregate to create summary statistics that help us analyze the Websites' usage trends, assess what information is of most and least importance, determine technical design specifications, arrange the Website in the most user-friendly way, and identify system performance or problem areas.
By continuing to use the Website, you hereby consent to the use and disclosure of your Information as set forth below:
By becoming a user of the Services and providing your mobile number and/or email address, certain features of the Services will be provided to you via your mobile phone or other mobile device (or in rare cases, and upon request, by secure encrypted fax) which may include: the ability to upload content to the Website, download applications, and receive email, short message service (SMS), text message communications and mobile push notifications, each of which are not encrypted (“Mobile Features”). Standard messaging, data and/or other fees may be charged by your carrier. You can opt out of receiving email, SMS/text messages, and mobile push notifications. Although unlikely, it is possible for these communications to be intercepted or accessed without your authorization, and by using the Services, you release Vori Health from any liability arising from or related to any such interception or unauthorized access. You can opt out by changing your profile settings within the Services or by notifying your healthcare provider. You agree to notify Vori Health of any changes to your mobile number and email by updating your Vori Health Services account to reflect any changes.
If you contact Vori Health after business hours, you may leave a voicemail with our answering service so urgent calls can be forwarded to on-call medical staff. The answering service uses reasonable security procedures and practices which are appropriate to the nature of the information involved, in order to protect your Personal Information, Health Information and/or Protected Health Information from unauthorized access, use, or disclosure.
Services concerning you may be accessed by the PLLC and its healthcare professionals who are linked to your account, and by Vori Health service providers, affiliates, representatives and assigns, all of whom may: send and receive reminders, alerts or other service-related information via email and/or push notifications or the like, i.e., utilize Mobile Features to notify and be notified of information about you. The use of Mobile Features may include the sharing of your Personal Information and Health Information. Although unlikely, it is possible for these communications to be intercepted or accessed without your authorization, and by using the Services, you release Vori Health from any liability arising from or related to any such interception or unauthorized access.
From time to time, and with your consent as defined in Vori’s Terms of Service, it may be necessary for us to disclose your Personal Information, Health Information, and/or Protected Health Information to other treatment providers (for example, your primary care physician or a provider to whom Vori Health has referred you for treatment). This disclosure may be made via secure encrypted fax or other secure means.
We use secure encrypted methods of communication such as E-Fax, which encrypts data end-to-end and whose privacy practices are consistent with ours. The methods we use have industry-standard security procedures and practices which are appropriate to the nature of the information involved, in order to protect your Personal Information, Health Information and/or Protected Health Information from unauthorized access, use, or disclosure.
In order to provide the Services to you, we may use your Personal Information and/or Health Information to verify your eligibility, review your claims status, and seek authorizations from payers. We will disclose only the information necessary to provide Services to you. In some instances, we may use secure encrypted fax for this disclosure.
We may use tools to obtain digital signatures from you, such as DocuSign. With its help, we can ensure that you explicitly authorize through the digital signature, when necessary, the release of your information to other treatment providers or insurance companies.
We may also use tools to obtain digital signatures from time to time when we need our employees to sign certain contractual agreements.
In either case, you will be able to consent to the use of such a digital tool before using it, and we will collect only the information necessary to execute the digital signature (including, but not limited to, your name, date of birth, physical address and email address). However, you should understand that the information we are required to collect in order to obtain your digital signature can include Personal Information, Health Information, and Protected Health Information. Your failure to consent to the use of a digital signature tool may restrict our ability to provide some Services to you.
We use a digital imaging tool to store digital imagery related to your treatment. Access to this digital imagery is given to Vori Health providers, who may share it with your other health care treatment providers. We will collect only the information necessary to store and access the digital imagery. The tool uses industry-standard security procedures and practices which are appropriate to the nature of the information involved, in order to protect your Personal Information, Health Information and/or Protected Health Information from unauthorized access, use, or disclosure.
We use a digital marketing platform to inventory, order, and track marketing items. This involves the use of name, postal address and email address from Vori Health employees, members and partners. We will collect only the information necessary for these marketing purposes. The platform uses industry-standard security procedures and practices which are appropriate to the nature of the information involved, in order to protect your Personal Information, Health Information and/or Protected Health Information from unauthorized access, use, or disclosure. We never sell data we collect from you to others.
Please be advised that, whenever you voluntarily post information to any public forum such as a bulletin board, blog, community or related interactive area of the Services, collectively “Public Posts”, such information can and may be accessed by the public. This means that any person or entity with access to such information can potentially use it for any purpose, including to send unsolicited communications.
Like many companies, we use "cookies" and “web beacons” to help you better navigate the Website. A "cookie" is a small piece of information sent by Vori Health's web-based applications that are stored by your web browser on your computer's hard drive. A “web beacon” is an electronic file placed within a website that monitors usage. Cookies and web beacons enhance your online experience by saving your preferences while you are visiting a particular Website. The cookies do not contain any identifiable information and cannot profile your system or collect information from your hard drive. Most Internet browsers automatically accept cookies, but you can set your browser to refuse them or to alert you when they are being sent.
To adjust your cookie settings, please either change your settings on your browser, or go to your Vori Health User Setting page and make the necessary selection.
Amendment. You have a right to request that Vori Health amend or delete the Personal Information it collects from your use of the Website if you believe it is incorrect or incomplete, and you may request an amendment or deletion for as long as the Personal Information is retained by Vori Health. You must submit your request in writing to Vori Health and provide a reason to support the requested amendment. Vori Health may, under certain circumstances, deny your request by sending you a written notice of denial.
Withdrawal of Consent. Subject to applicable law, you may withdraw your consent to uses and disclosures of Personal Information as outlined in this Privacy Policy. You must submit your request in writing to Vori Health. Withdrawing consent does not invalidate consent to any collection, use or disclosure of Personal Information to which you consented before consent was withdrawn. If you withdraw consent, or refuse further consent, Vori Health’s ability to offer services to you may be limited.
If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your Personal Information by Vori Health to third parties for the third parties' direct marketing purposes. These requests only cover information for the immediately prior calendar year (e.g., requests made in 2021 will receive information about 2020 sharing activities) and information about our sharing in general, not specific to you. To make such a request, please send an email to [email protected]. If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (the "CCPA"), gives you additional rights about the collection, processing and storage of your personal data, which we will explain below.
We may collect information that is considered Personal Information as described in Section 1798.80(e) of the California Civil Code (such as name, signature, Social Securty Numbers, address, telephone number, insurance policy number, financial information (for payment purposes only), medical information, and health insurance information). We may also collect information that is considered Sensitive Personal Information under the California Privacy Rights Act (CPRA) (such as Social Security Number, financial account information (for payment purposes only), and health information). All of this information is considered Personal Information as that term is defined hereunder.
We will not collect additional categories of personal information or use Personal Information collected for additional purposes without providing you with notice.
We will retain your Personal Information throughout your business relationship with us, and for a reasonable period thereafter, as allowed by applicable law.
We may disclose your contact information and financial information with our Service Providers to help us provide the Services. Please note that we do not sell any of your Personal Information to third parties.
Additionally, you have the following rights under the CCPA and you may exercise these rights no more than twice in any twelve (12) month period by following the instructions below. To exercise more than one right at a time, please submit each request individually. If you submit multiple requests, we cannot guarantee the order in which your requests will be processed:
You have the right to know what categories of Personal Information we collected in the preceding twelve (12) months, including the categories of sources from which the Personal Information was collected, the specific pieces of Personal Information we have collected about you, and the business or commercial purposes for which such Personal Information was collected and shared. You also have the right to know the categories of Personal Information which were disclosed for business purposes, and the categories of third parties with whom we shared your Personal Information in the preceding twelve (12) months.
To exercise your right to know, please email us at [email protected] and follow these instructions:
i. Write to us from the email address or mailing address that is affiliated with your account and include "Right to Know Under CCPA" in the subject of the email or written request;
ii. Please include sufficient Personal Information for us to verify the identity affiliated with your account. For example, at a minimum please provide your full name, phone number, address, email and account number if applicable. We may request additional information to complete the verification process if we are unable to verify your identity initially;
iii. If you would like to know the categories of sources from which we collected your Personal Information, write "I am writing to request the categories of sources from which my personal information was collected" in your request;
iv. If you would like to know the specific Personal Information that we have collected about you, write "I am writing to request the specific personal information we have collected about you" in your request;
v. If you would like to know the business or commercial purposes for which we collected or shared your Personal Information, write "I am writing to request the business or commercial purposes for which my personal information was collected" in your request;
vi. If you would like to know the categories of Personal Information which were disclosed for business purposes, write “I am writing to request the categories of personal information disclosed for business purposes” in your request;
vii. If you would like to know the categories of Personal Information collected about you, write "I am writing to request the categories of personal information that was collected" in your request; and
viii. If you would like to know the categories of third parties with whom we shared your Personal Information in the preceding 12 months, write "I am writing to request the categories of third parties with whom you shared my personal information" in your request.
You have the right to receive the Personal Information that you gave us. The information that we will provide to you will be masked, meaning that portions of it will be omitted so that it can't be used fraudulently. For example, your telephone number may display as (123) - XXXXXX67. In order to exercise your right to access, email us at [email protected] and follow these instructions:
a. Write to us from the email address or mailing address that is affiliated with your account and include "Right to Access Personal Information Under CCPA" in the subject of the email or written request;
b. Please include sufficient Personal Information in your request for us to verify the identity affiliated with your account. For example, provide your full name, address, Email, Phone Number and account number if applicable. We may request additional information to complete the verification process if we are unable to verify your identity initially; and
c. In the body of your request, please write "I would like access to all of the information that I have given to you over the past 12 months."
You can request to have your Personal Information deleted and we will ask our Service Providers to do the same. Please note that if we delete your Personal Information, many of our Services will not work the same. For example, you will not have an account (since any prior saved data will be deleted). If you make multiple requests under this section, we recommend sending your deletion request last, as we will not be able to fulfill your other requests once we have deleted your information.
Exceptions: We may not be able to fulfill your request if we (or our Service Providers) are required to retain your Personal Information for one or more of the following reasons:
i. Transactional: to receive the Services for which the Personal Information was collected, provide a good or service requested by you, or perform a contract we have with you;
ii. Security: to detect data security incidents;
iii. Error Correction: to debug or repair any errors;
iv. Legal: to protect against fraud or illegal activity or to comply with applicable law or a legal obligation, or exercise rights under the law, such as the right to free speech; or
v. Internal Use: to use your Personal Information, internally, in a lawful manner that is compatible with the context in which you provided the information (i.e., to improve our services).
To exercise your right to deletion, email us at [email protected] and follow these instructions:
i. In the body of your request, please write "I would like my information deleted" and provide the information that you would like deleted;
ii. Please include sufficient Personal Information for us to verify the identity affiliated with your account. For example, provide your full name, address, Email, Phone Number, and account number if applicable. We may request additional information to complete the verification process if we cannot verify your identity initially. Our ability to fulfill your deletion request is limited by the information you provide us, and the information associated with your account. For example, if you have multiple email addresses and you include only one in your request, we will only delete the email address that you included in the request. To delete multiple email addresses, you must verify you own applicable email account by sending the request from the applicable email address.
You can request to have inaccuracies corrected in your Personal Information we have collected.
To exercise your right to correction, email us at [email protected] and follow these instructions:
i. In the body of your request, please write "I would like my information corrected" and provide the information that is inaccurate and the way(s) in which it should be corrected; if you are requesting a correction to documentation created by a Vori clinician, your request will be reviewed by the Vori clinician and either the clinical documentation edited or a note inserted into your medical record which records your request to correct the information and the information which you requested be corrected.
ii. Please include sufficient Personal Information for us to verify the identity affiliated with your account. For example, provide your full name, address, Email, Phone Number, and account number if applicable. We may request additional information to complete the verification process if we cannot verify your identity initially. Our ability to fulfill your correction request is limited by the information you provide us, and the information associated with your account. For example, if the same piece of information in inaccurate in multiple places and you only include one in your request, we will only correct the information that you included in the request.
You have the right to request to opt out of the sharing of your Personal Information by us. However, we do not “share” your Personal Information with “third parties” as those terms are defined in the CCPA.
We will not discriminate against you for exercising any of your rights, and we will not deny you goods or services, charge you a different price, or provide you with a lesser quality of goods or services if you exercise any of your rights, unless by exercising any of your rights we are unable to provide the Services for which the Personal Information was collected, or perform a contract we have with you.
Our Website and Services may contain links to and from other websites or allow you to share certain content on third party websites or social platforms, such as Facebook and Twitter. A link to a third party's website or social platform does not mean that we endorse it or that we are affiliated with it. We do not exercise control over third party websites or social platforms; you access such third-party websites or social platforms at your own risk. You should always read the privacy policy of a third-party website and social platform before sharing any information on or with them.
From time to time, we may establish a business relationship with other businesses whom we believe trustworthy and who have confirmed that their privacy practices are consistent with ours ("Service Providers"). For example, we may contract with Service Providers to provide certain services, such as hosting and maintenance, data storage and management. We only provide our Service Providers with the information necessary for them to perform these services on our behalf. Each Service Provider must agree to use reasonable security procedures and practices, appropriate to the nature of the information involved, in order to protect your Personal Information from unauthorized access, use, or disclosure. Service Providers are prohibited from using Personal Information other than as specified by us.
We may make your Protected Health Information available electronically through an electronic health information exchange to other health care providers that request your information for their treatment purposes. In all cases, the requesting provider must have or have had a treating relationship with you. Participation in an electronic health information exchange also lets us see other providers’ information about you for our treatment purposes.
We may share Personal Information and usage data with businesses controlling, controlled by, or under common control with Vori Health. If Vori Health is merged, acquired, or sold, or in the event of a transfer of some or all of our assets, we may disclose or transfer Personal Information and usage data in connection with such transaction. You will have the opportunity to opt-out of any such transfer if, in our discretion, it will result in the handling of your Personal Information in a way that differs materially from this Privacy Policy.
We cooperate with government and law enforcement officials and private parties to enforce and comply with the law. We may disclose Personal Information and any other information about you to government or law enforcement officials or private parties if, in our discretion, we believe it is necessary or appropriate in order to respond to legal requests (including court orders and subpoenas), to protect the safety, property, or rights of Vori Health or of any third party, to prevent or stop any illegal, unethical, or legally actionable activity, or to comply with the law.
We maintain physical, electronic, and procedural safeguards to protect the confidentiality and security of information transmitted to us. However, no data transmission over the Internet or other network can be guaranteed to be 100% secure. As a result, while we strive to protect information transmitted on or through the Website or Services, we cannot and do not guarantee the security of any information you transmit on or through the Website or Services, and you do so at your own risk.
The Site and Services are intended for users who are 18 years old or older. We do not knowingly collect Personal Information from children under the age of 18.
Please be aware that your Personal Information and communications may be transferred to and maintained on servers or databases located outside your state, province, or country. If you are located outside of the United States, please be advised that we process and store all information in the United States. The laws in the United States may not be as protective of your privacy as those in your location. By using the Site or Services, you are agreeing to the collection, use, transfer, and disclosure of your Personal Information and communications will be governed by the applicable laws in the United States.
We will respect "do not track" signals from your device. However, certain functionality on the Website will not work unless cookies are enabled.
We are headquartered in the United States. Your Personal Information may be accessed by us or transferred to us in the United States or to our affiliates, partners, merchants, or service providers who are located worldwide. If you are visiting the Website from outside the United States, be aware that your information may be transferred to, stored, and processed in the United States where our servers are located, and our central database is operated. By using the Website, you consent to any transfer of this information.
We will protect the privacy and security of Personal Information according to this privacy statement, regardless of where it is processed or stored, however you explicitly acknowledge and consent to the fact that Personal Information stored or processed in the United States will be subject to the laws of the United States, including the ability of governments, courts or law enforcement or regulatory agencies of the United States to obtain disclosure of your Personal Information.
Questions or comments regarding this Policy should be submitted to the Vori Health Privacy Officer by mail as follows:
Vori Health
100 Powell Place #1441
Nashville, TN 37204
Attention: Vori Health Chief Privacy Officer
Or by electronic means at:
[email protected]
Effective date: February 12, 2023
Approved by Mary I. O’Connor, MD, Chief Compliance Officer