Simplica considers individual privacy paramount, and we take great care in keeping the information private and secure.
Business Associate – a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a Covered Entity that involve access by the business associate to protected health information.
Controller – an agency, entity, or legal person who determines the purposes and means of processing Personal Data.
Covered Entity – health plan, health care clearinghouse, or health care provider who electronically transmits any health information in connection with transactions for which the HHS has adopted standards.
HHS – US Department of Health and Human Services
HIPAA – The Health Insurance Portability and Accountability Act
Human Resources – the function that deals with compensation and benefits, recruiting and hiring, onboarding employees, engagement of contractors, performance management, training, and organization development and culture
Personal Data – any information relating to an identified or identifiable natural person (in the case of a resident of the EU or EEA, a “Data Subject”). An identifiable person is one who can be identified by referencing an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
PHI – personal health information created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services.
Processor – an agency, entity, or legal person with responsibility for processing Personal Data on behalf of a Controller.
This policy applies to
- Personal Data processed by Simplica in its role as Processor
- Personal Data processed by Simplica in its role as Business Associate
- Personal Data collected by Simplica as Controller, usually as part of its contractual relationship with customer
- Personal Data of visitors to Simplica’s website which may be collected by Simplica as Controller
- Personal Data of Simplica employees and contractors
- Information Security Policy
- Human Resources Policy
Simplica as Data Processor
Simplica provides its customers with hosting infrastructure, has limited knowledge of customer data within that infrastructure, and only processes hosted data in accordance with the customer’s instructions. Simplica is a Processor of the hosted data, and the customer is the Controller for that hosted data. Customers are responsible for adhering to legal and regulatory requirements for the data which they collect and process as a Controller.
Simplica ensures that any subcontractor it engages for carrying out specific processing activities on behalf of the customer will be subject to the same data protection obligations as Simplica.
Simplica as Business Associate
Simplica’s customers who have direct access to personal medical information such as PHI are Covered Entities under HIPAA. With regard to these customers, Simplica is both a Business Associate and a Processor. The foregoing policy statements contained in the section “Simplica as Data Processor” also apply to our Covered Entity customers. In addition, the relationship between Covered Entity customer and Simplica is governed by a Business Associate Agreement or Addendum in which Simplica agrees
- not to use or further disclose PHI other than as permitted or required by the contract or as required by law;
- to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
- to report to the Covered Entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
- to disclose protected health information as specified in its contract to satisfy a Covered Entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
- to the extent Simplica is to carry out a Covered Entity’s obligation under the Privacy Rule, to comply with the requirements applicable to the obligation;
- to make available to HHS Simplica’s internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by Simplica on behalf of, the Covered Entity for purposes of HHS determining the Covered Entity’s compliance with the HIPAA Privacy Rule;
- at termination of the contract, if feasible, to return or destroy all PHI received from, or created or received by Simplica on behalf of the Covered Entity;
- to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to Simplica with respect to such information; and
- to authorize termination of the contract by the Covered Entity if Simplica violates a material term of the contract.
Simplica as Data Controller
Simplica collects and maintains Personal Data (1) for the offer and maintenance of Simplica services for customer use, and for the related communications and uses, (2) for the maintenance of the Simplica.com website, and (3) for Human Resources purposes. For these purposes, Simplica is Controller.
The collection and processing of Customer’s Personal Data for direct use and administration of our Services is based on contractual obligation, necessary to provide Customer with access and use of the services.
Personal Data We Collect
1. Information Customer gives us in order to effectively operate in order to carry out our contractual obligation with customer;
2. Information we receive from third parties in order to fulfill our contractual obligation with Customer;
3. Information we collect when an individual visits the Simplica.com website such as IP addresses;
5. Information collected through the use of Forms on the Simplica.com website, such as name, email address, and demographic information such as city, state and zip code; and
6. Information necessary for Human Resources administration.
How We Use Personal Data
1. To provide a requested service to customer, we use data for
- customer support
- account notifications
- security and safety
- providing our services
2. When an individual visits the Simplica.com website, we use
- IP addresses to help diagnose problems with our server, and to administer our Website and to gather broad demographic information;
- cookies so that we can better serve you when you return to our site;
- forms which request contact information used to contact you when necessary.
3. For Human Resources purposes, we use information such as
- name and contact information
- work and education history
- work entitlement information (e.g. citizenship or visa status)
- compensation and payroll information
- other information necessary to comply with our legal obligations
Reasons We Share Personal Data
This section describes how Simplica may share and disclose Personal Data. Simplica may share Personal Data with customer’s consent or as necessary to complete a transaction or to provide a service customer has requested or authorized. For example:
1. If customer elects to use connected third-party applications, we may share Personal Data with companies who provide those applications. In those cases, we encourage customer to review and understand the terms and conditions and privacy policies of those third parties over whom we have no control.
2. We may use third-party service providers to help us operate or administer our services. For example, companies we’ve hired to assist in protecting and securing our services and systems may need access to Personal Data to complete those functions. In such cases, these companies must abide by our data privacy and security requirements and are not allowed to use Personal Data they receive from us for any other purpose.
3. As we believe to be necessary or appropriate, we may disclose Personal Data: (a) under applicable laws; (b) to comply with a subpoena or other legal process; (c) to respond to requests from public and government authorities; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our customers or affiliates; and (f) to allow us to pursue available remedies or limit the damages that we may sustain.
Simplica does not share Personal Data with third parties for marketing purposes. Similarly, Personal Data collected through the use of the Simplica.com website is not shared. Personal Data collected for Human Resources administration is shared only to fulfill a Human Resources purpose.
How We Protect Information
We keep personal data to enable your continued use of Simplica services, for as long as it is required in order to fulfill the relevant purposes described in this Privacy Statement, as may be required by law (including for tax and accounting purposes), or as otherwise communicated to you. How long we retain specific personal data varies depending on the purpose for its use.
Access and Control of Personal Data
Access and control of personal data is managed by the Simplica Privacy Officer. Requests regarding access and control of personal data, whether related to Simplica as Processor or Controller, should be directed to support[at]simplica.com.
For Individuals in the European Union
General Data Protection Regulation (GDPR)
If an employee, contractor, customer, or visitor to the Simplica.com website is located in the European Union, those individuals have rights to access personal data about them and to limit use and disclosure of their personal data. Those rights include
1. the right to object to processing,
2. the right to be informed,
3. the right of access,
4. the right to rectification,
5. the right to erasure,
6. the right to restrict processing,
7. the right to data portability,
8. the right to lodge a complaint with your local Supervisory Authority, and
9. the right to withdraw consent.
Because Simplica, as Processor, has limited ability to access data our customers submit to our services, if you wish to request access, to limit use, or to limit disclosure, please provide the name of the Simplica customer who submitted your data to our services. We will refer your request to that customer, and will support them as needed in responding to your request.
EU-U.S. Privacy Shield Framework
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Simplica Corporation is subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission.
Pursuant to the Privacy Shield Frameworks, EU individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to support[at]simplica.com. If requested to remove data, we will respond within a reasonable timeframe.
Simplica will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to support[at]simplica.com.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Simplica’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Simplica remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Simplica proves that it is not responsible for the event giving rise to the damage.
In compliance with the Privacy Shield Principles, Simplica commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union individuals with Privacy Shield inquiries or complaints should first contact Simplica by email at support[at]simplica.com.
Simplica has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
If your complaint involves human resources data transferred to the United States from the EU in the context of the employment relationship, and Simplica does not address it satisfactorily, Simplica commits to cooperate with the panel established by the EU data protection authorities (DPA Panel), as applicable and to comply with the advice given by the DPA panel, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.