Privacy Policy



The privacy, confidence, and trust of individuals who log into the Inflexxion ASI-MV Website are very important to us. No Protected Health Information (PHI) is collected at this site unless it is provided voluntarily by an individual while participating in an activity that asks for the information. The following paragraphs disclose the information gathering and usage practices for the website. 



In the ASI-MV application, PHI is entered by the customer via a secured web browsing session and transferred to a secured database. When entering survey data, the browsing session is protected by TLS. This type of information is then transferred to an encrypted database. Data is also encrypted in transit between the web server and the database server. Communication between the web server and the database server is encrypted using TLS. 


Data from the ASI-MV application are automatically de-identified via a filtering process before they are entered into the Analytic Database. 


In ASI-MV, we do have the functionality for data transfers to electronic health records via secure web service calls for customers who request this service. 



Inflexxion’s receipt of the ASI-MV data from Data Sources (customers) is pursuant to business associate agreements (“BAAs”) between Inflexxion and licensees of the ASI-MV applications. Aggregation of data into ASI-MV datasets (“Datasets”) pursuant to the BAA, its disclosure of those aggregated datasets to its customers for treatment, healthcare operations and research purposes in accordance with the terms of the BAA, as well as its sale and disclosure of those aggregated Datasets to third parties for research purposes in accordance with the terms of the BAA, comply in all material respects with HIPAA Privacy Requirements. 


Inflexxion is not itself a “covered entity” within the meaning of HIPAA since it is not a health plan, health care provider or health care clearinghouse, and does not transmit health information in electronic form in any transaction covered by the HIPAA Privacy Requirements except at the request of covered entities and their designees. The ASI-MV data for all versions of the product that will be used by Inflexxion is for aggregation into de-identified Datasets, The only purposes for which the Datasets will be used are for (1) treatment and health care operations purposes by or for the benefit of the Data Source that furnished ASI-MV data included in the Dataset, and (2) research and public health surveillance purposes by the Data Source, Inflexxion and others; including the sale of Datasets by Inflexxion to third parties for research purposes. 



PHI that is "de-identified" is not individually identifiable health information for HIPAA purposes, and falls outside the scope of the HIPAA Privacy Requirements, 45 CFR 164.514(a). Inflexxion has adopted a good faith legal position that the ASI-MV data in the form they are received by Inflexxion from Data Sources are fully de-identified and follow the standards outlined by the BAA. 



Inflexxion obtains the Retained Data from its Data Sources, including any PHI in the Retained Data, pursuant to a Business Associate Agreement. 


Under that BAA, Inflexxion is authorized and contractually obligated to engage in data aggregation and data de-identification services for and on behalf of its Data Sources for health care operations purposes. Inflexxion may perform such data aggregation services for such purposes under the BAA consistent with the HIPAA Privacy Requirements. 


In addition, a business associate, like Inflexxion, is permitted by the HIPAA Privacy Requirements to use PHI from a covered entity to create de-identified information, and to disclose such de-identified information to third parties, such as purchasers of the Datasets. In particular, 45 CFR 164.501(d)(1) provides that a “covered entity may use protected health information to create information that is not individually identifiable health information or may disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity.” Thus, consistent with the HIPAA Privacy Requirements, Data Sources may disclose PHI to Inflexxion to be de-identified and sold for use by third parties. To the extent that the Retained Data and resulting Datasets generated by Inflexxion contain only de-identified information (which is the case), then Inflexxion is free to disclose those Datasets to third parties. 


Even if the Retained Data do not meet all of the safe harbor de-identification standards (which they do meet, as discussed above), the Data Source can disclose the Retained Data to Inflexxion for purposes of creating a so-called “limited data set” for research, public health or health care operations purposes. See 45 CFR 164.514(e) for more information. 


A limited data set is PHI that excludes the following direct identifiers of the patient or relatives, employers or household members of the patient: 


a.    Names; 

b.    Postal address (may retain city, State, and nine-digit zip code); 

c.     Telephone numbers; 

d.    Fax numbers; 

e.    Electronic mail addresses; 

f.     Social security numbers; 

g.    Medical record numbers; 

h.    Health plan beneficiary numbers; 

i.      Account numbers; 

j.     Certificate/license numbers; 

k.    Vehicle identifiers and serial numbers, including license plate numbers; 

l.      Device identifiers and serial numbers; 

m.   Web Universal Resource Locators (URLs); 

n.    Internet Protocol (IP) address numbers; 

o.    Biometric identifiers, including finger and voice prints; and 

p.    Full face photographic images and any comparable images. 


A limited data set may contain: 

a.   Dates of admission and discharge, as well as dates of birth and death; and 

b.   Nine-digit zip codes, city, and State information. 


The Retained Data fairly clearly constitutes a limited set for HIPAA purposes. 


Pursuant to 45 CFR 514(e)(1), a Data Source that is a covered entity may disclose to Inflexxion a limited data set, such as the Retained Data, “if the covered entity enters into a data use agreement with the limited data set recipient [i.e., Inflexxion], in accordance with paragraph (e)(4) of this section.” Under those Requirements, the data recipient can only use the limited data set for research, public health or health care operations purposes. 45 CFR 164.514(e)(3)(i) and (4)(i). As noted above, we understand and assume that Inflexxion will only use the Retained Data, in the form of a limited data set, for research, public health, or health care operations purposes. 


The Business Associate and Limited Data Set Use Agreement meet the LDS Requirements. Therefore, any Data Source that is a covered entity may disclose to Inflexxion the Retained Data, as a limited data set, for research, public health and health care operations purposes in accordance with the terms of the BAA. We also believe that Inflexxion may thereafter disclose or sell the Retained Data, in the form of a limited data set, to authorized third parties for research purposes in accordance with the terms of the BAA. 



Inflexxion is in material compliance with the HIPAA Privacy Requirements because it (1) enters into a Business Associate and Limited Data Set Use Agreement with its Data Sources that are covered entities, (2) receives PHI in the form of the Retained Data from the Data Sources in ASI-MV desktop application (V6 and 7), (3) Protects PHI received in ASI-MV online (V8) by utilizing a secured web browsing session, and data encryption to protect its database, as well as other security controls (4) Aggregates the Retained Data into a Dataset (that is also a limited data set for HIPAA purposes), (5) discloses or sells those Datasets to third parties either as (i) de-identified Datasets, to the extent such Datasets meet safe harbor de-identification standards (which they appear to meet) or (ii) limited data sets for research, public health and health care operations purposes, and (5) otherwise conforms its conduct to the terms of the form Business Associate and Limited Data Set Use Agreement. 



PHI is protected via a secured web browsing using TLS, the data is in the database is protected using transparent data encryption. 



Clients/patients’ de-identified, aggregate data are transferred from the ASI-MV application to Inflexxion’s Analytic Database for two reasons: 1.) to enable customers to look at their aggregate client/patient data in a number of ways, generate charts and graphs and to print reports; 2.) to allow Inflexxion to build a nationwide database on substance abuse trends and characteristics, including information on the growing problem of prescription drug abuse for both public health and research purposes only. 


The ASI-MV has additional, selected prescription medication questions only for clients/patients who identify they have used prescription medications. Along with the addition of the prescription medication questions that identify specific medication products, there are other screens that ask questions such as how the client/patient respondent obtained the drugs and route(s) of administration. 


These data are made available to authorized Data Source representatives and other appropriate stakeholders interested in the trends and characteristics of alcohol and drug problems, including prescription drugs such as, state and federal agencies, pharmaceutical companies, and research organizations. 



Data Source (customer) is responsible for ensuring that its staff use the ASI-MV application in an appropriate manner, consistent with good clinical practice, and for ensuring that client/patient PHI data which is available on their local computer are treated in a secure and confidential manner consistent with the HIPAA Privacy Rule (at 45 CFR Parts 160 and 164 and all applicable laws and regulations. 




Inflexxion only collects the personal information that is necessary to provide the information or services requested by an individual. "Personal information" refers to any information relating to an identified or identifiable individual who is the subject of the information. This is the same information that an individual might provide when visiting a government office and includes such items as an individual's name, address, or phone number. We also collect statistical information that helps us understand how people are using the web site so we can continually improve our services. The information collected is not associated with any specific individual and no attempt is made to profile individuals who browse the web site. Customers may be asked to participate in surveys at this site. Participation is optional, and the choice to participate or not to participate will have no effect on your ability to use other features of the site. 



Inflexxion does not disclose, give, sell or transfer any personal information about the website users to third parties, except to comply with legal requirements, as may be required by law, regulation, search warrant, subpoena or court order. However, if we are required to make such a disclosure to a third party, we will make a reasonable attempt to notify the user first, unless we are prohibited from doing so by law or court order. 



Inflexxion is the sole owner of the information collected via the ASI-MV. Inflexxion collects identifiable information from Data Source customers (NOT clients/patients or users of ASI-MV assessment) that are used for clinical reporting and electronic health record (EHR) integration per the BAA with those sites. Identifiable PHI is maintained in the Analytic Database that is separate from the de-identified Analytics Database. 



In order to use ASI-MV, an authorized Data Source representative completes the registration page and creates a user name and password. Requirements of registration include providing contact information, such as name, email address and phone numbers of Data Source contact personnel. This information is used to verify authorized users/customers and to contact users/customers about the programs’ functionality, services, and updates. 



To purchase a product or service from Inflexxion, certain identifiable information regarding the Data Source representative is requested on the order form. This includes contact information (such as name, email, and shipping address) and financial information (such as credit card number, expiration date). This information is kept secure and used only for billing purposes and to fill orders. If we have trouble processing an order, we will use this information to contact the appropriate Data Source representative. Inflexxion does not sell or distribute to any third party any information that would individually identify a Data Source. 



Inflexxion will occasionally send information on products, services and special deals to customers. Out of respect for your privacy, we present the option not to receive these types of communications. 



The name and email address of the Data Source representative will be used to send periodic newsletters. Out of respect for our customer’s privacy, we provide them with a way to unsubscribe. 



Strictly service-related announcements will be sent on rare occasions when it is necessary to do so. Such announcements convey important system information, including, for instance, notice of temporary service suspension for maintenance. These announcements are typically sent by email. Generally, customers may not opt-out of these communications, which are not promotional in nature. If customers do not wish to receive them, customers have the option to deactivate their accounts. 



Identifiable information of the Data Source representative collected during registration will be used to send a welcoming email to verify the username and password for the ASI-MV application. We will also communicate with customers in response to inquiries, to provide the services requested, and to manage their accounts. We will communicate with customers by email or telephone, in accordance with specific customer requests. 



If you do nothing during your visit but browse through the ASI-MV web site, read pages, or download information; we will gather and store certain information about your visit automatically. This information does not identify you personally. We automatically collect and store only the following information about your visit: 


  • • The Internet domain and IP address from which you access our website; 
  • • The type of browser and operating system used to access our site; 
  • • The date and time you access our site. 
  • • The pages you visit; and 
  • • If you linked to the ASI-MV web site from another website, the address of that website. 


We use this information to help us make our site more useful to visitors -- to learn about the number of visitors to our site and the types of technology our visitors use. We do not track or record information about individuals and their visits. 



Any web page or application at the ASI-MV website that uses cookies will identify itself as such. Cookies are short and simple text files that are stored on a user's computer hard drive by websites. They are used to keep track of and store information so the user does not have to supply the information multiple times. The information that is collected through cookies at this site is handled in the same manner as other information collected here. Customers can configure their web browser to refuse cookies or to notify them when a website attempts to send a cookie. They can also check their hard drives for cookie files and delete them from their computers. If a customer choses to delete or refuse cookies, he/she may experience some inconvenience with the automated functionality that recognizes him/her as a returning user. Also, if they choose to delete or disable session cookies, they may not be able to use the site correctly. 



Inflexxion is committed to the security of the information that is either available from or collected by the ASI-MV website. Inflexxion has taken multiple steps to safeguard the integrity of its telecommunications and computing infrastructure, including but not limited to, authentication, monitoring, auditing, and encryption. 



The ASI-MV application website has links to some other websites. Inflexxion is not responsible for the content or privacy practices of these sites and suggests you review their privacy policies. 



Inflexxion may change any of the terms in this Privacy Policy at any time. Changes will become effective when the ASI-MV application posts the modified Privacy Policy on the website. Inflexxion will inform customers of any material changes to the Privacy Policy. If a customer does not agree to the changes, he/she must cease use of the website. Continued use of the ASI-MV application by any customer constitutes acceptance of the changes to the Privacy Policy. 



Inflexxion’s Privacy Policy has no application to proprietary information, ideas or other intellectual property that customers send to Inflexxion via email or otherwise. If customers want to keep such information private or proprietary, then they should not include them in an email to Inflexxion. 



Inflexxion welcomes comments regarding this Privacy Policy. Please convey any questions or concerns to: 

Privacy Officer 

Inflexxion, Inc. 

890 Winter Street, Suite 235 

Waltham, MA 02451