Last updated: March 13, 2021
Kalix Inc. EIN 32-0490413 (“us,” “we,” or “our”) operates Kalix, a proprietary client management and record-keeping tool called Kalix (Kalix).
These terms and conditions inform our healthcare providers' ("Customer") patients and clients (“Clients” or "you") of our policies regarding the collection, use, and disclosure of personal data and Protected Health Information (PHI) ("Personal Information") when using Kalix. By using Kalix, you agree to the terms and conditions in this agreement.
Personal data is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your households, such as your name, email address, IP address, telephone number, and internet activity.
Protected Health Information is any identifiable demographic and other information relating to the past, present, or future physical or mental health or condition. This includes information related to the provision or payment of health care services that are created or received by a health care provider, health plan, employer, or health care clearinghouse.
1. Kalix Customers and their Clients
We do not have direct relationships with the Clients of our Customers. If we receive any inquiries or requests from Clients about their Personal Information, we will direct those inquiries or requests to the relevant Customer.
If you are a Client of one of our Customers (i.e., healthcare provider), we may retain your Personal Information on behalf of that Customer. If you have questions about how we process your Personal Information, we encourage you to reach out to the appropriate Customer. We may send any inquiries that we receive directly from you about our use of your Personal Information to that customer.
1. How We Collect and Use Your Personal Information
2. How We Use Information
We will only collect personal data that is necessary to fulfill the following purposes:
To provide and maintain Kalix
To provide Customer support
To respond to your inquiries
To gather analysis or valuable information so that we can improve Kalix
To monitor the usage of Kalix
To detect, prevent and address technical issues
To meet compliance with the law or meet regulatory requirements
Prevent, detect, or investigate security concerns, including fraud
To aggregate or anonymized personal data for Customers for marketing, advertising, research, analytics, or other similar purposes.
3. Information Our Customers Collect
Customers may collect the following personal data from you directly through Kalix as part of the provision of health services:
date of birth
sex, gender, and pronouns
mailing, billing, and residential address
other medical, personal, and nutritional data that you voluntarily provide.
For our Customers' use, we have third-party services for payment processing (e.g., payment processors).
The payment processors we work with are:
4. Retention of Data
Kalix Inc. will retain your personal data for as long as it is necessary for the purposes set out in this agreement. We will also retain and use your personal data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
5. Security and Privacy
In accordance with the HIPAA Privacy Rule and other government privacy and security requirements, we use appropriate safeguards to protect the privacy and security of PHI.
We also request that all paying Customers based in the United States of America enter into a Business Associate Agreement (BAA) with us in accordance and in compliance with the Privacy Rule. The BAA requires Customers to make administrative, physical, and technical safeguards to ensure PHI's safe transmission and storage.
A summary of Kalix's privacy and security practices are listed below:
Kalix is hosted using a HIPAA compliant hosting provider - Microsoft Azure Cloud, located in the United States of America
Data is encrypted in transit
All data is encrypted in transit (to and from the cloud) using TLS (Transport Layer Security).
PHI is encrypted in transit between Kalix and our third-party providers.
Data is encrypted at rest
All data is encrypted at rest, including all backup copies.
We use certificate-based encryption methods, which means that the keys to access your records are stored in a special area of the operating system that is inaccessible to an outside attacker.
We also use higher levels of encryption than the current standards recommend
All data is stored in triple redundancies in two data centers 500 miles apart (hence, x6 redundancies)
Monitoring for suspicious activity:
Daily operational procedures are in place to log and monitor data 24/7, looking for any suspicious activities
Incident response process procedures are in place for containing the incident and notification to Customers.
At Kalix, access controls are in place that includes electronic identification and limiting physical on-site data access to a restricted list of people.
Directors (owners) of each Kalix account can restrict other users' access level to Kalix and their ability to alter records.
Kalix limits PHI transmission to the minimum necessary; for example, only a client's first name can be included in a message, not their full name.
Kalix allows Customers sending to send their clients (you) SMS (text messages), text-to-voice (voice messages), and email messages. Messages can be automated to remind (Appointment Reminders) and notify (Appointment Notices) about upcoming appointments, and as a reminder to pay outstanding bills (Billing and Late Payment Reminders). Alternatively, messages can be sent manually; i.e., to collect client information via online forms and electronic paperwork), to communicate with other healthcare providers, to send invoices and bills, as well as on an ad hoc basis.
What Does HIPAA Say About Messaging (Email, Text Message & Voice Message)
HIPAA does not explicitly prohibit the unencrypted transmission of electronically protected health information (ePHI). Reasonable precautions to minimize the amount of ePHI going over an insecure channel effort to implement safeguards should be made.
Messaging can be “opt-in," requiring you to consent prior to receiving any messages via Kalix.
Customers are provided with and can require HIPAA form - Notice of Privacy Practices to be completed via Kalix's Client Access Form functionality.
You have the ability to opt-out from receiving messages at any time.
Kalix does not send forms or documents via email, text-to-voice, or SMS but instead uses a secure web link, along with a code to unlock the form or document. The form or document is viewed and completed within Kalix in an encrypted environment.
Kalix's email messaging is encrypted in transit between Kalix and our third-party provider. Our HIPAA-compliant third-party email provider encrypts data at rest (in storage). When transmitting emails, by default, our third-party provider uses TLS (Transport Layer Security). They also check the validity and legitimacy of the mail server’s certificate. In situations that your email provider doesn’t support TLS, they fall back to sending messages un-encrypted (so messages are successfully received).
Text Messaging & Voice Messaging
Kalix's text and voice messaging are encrypted in transit between Kalix and our third-party provider. However, because text and voice messages are sent via the regular phone system, data is sent from our third-party provider to your phone un-encrypted. This is because, when transmitting text or voice messages, no technology currently exists to support encrypted messaging without the receiver downloading and using a specialized app.
7. Transborder data flows
Our servers are located in the United States of America; any personal, sensitive, or health information relating to you (protected information) may not be subject to the same privacy standards as in Australia or any other country.
By using Kalix, you give consent in clause 18.2, Australian Privacy Principle 8.1 will not apply. You may not be able to seek redress in the U.S., and the server providers and other overseas recipients are subject to foreign laws that could compel the disclosure of protected information to a third party, such as an overseas authority and government.
You agree and consent to us storing protected information on those servers in the United States of America and transferring protected information to those servers.
8. Changes to this Agreement
We reserve the right to change this agreement and make the new agreement apply to the personal information we already have, as well as any information we receive in the future.
9. Contact Us
If you have any questions about this agreement, please contact us at [email protected].