Tiatros Inc. (“Tiatros”) is the operator of www.tiatros.com, the Tiatros iOS app, and the Tiatros android app (collectively, the “Service”). Tiatros also distributes and operates a portfolio of online CBT+-based peer group psychotherapeutic programs (each, a “Program), which registered participants (each, individually, a “Participant”) access and perform on an area of the Service that is reserved for Participants of Programs (the “Program Area”). Tiatros also distributes and operates online ‘After Programs’ for Participants who want to maintain continued access to the Program content and materials after they complete their Program, and to participate in a social community of Participants who have also completed the same Program. After Programs are accessed and performed on an area of the Service that is reserved for Participants in the After Program (the “After Program Area”).
What Kind of Information We Collect
Any and all of the information that casual visitors to the Service provide about themselves may be publicly displayed on the Service and aggregated and shared with Partners and others (the “Shared Data”).
Some of the information that Participants provide when registering to participate, or participating in, a Program or After Program may be “individually identifiable health information” or “Protected Health Information,” i.e., information created or received by a health care provider, health plan, employer, or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of an individual Participant; the provision of health care to an individual Participant; and/or the past, present or future payment for the provision of health care to an individual Participant (the “Restricted Data”).
Examples of Restricted Data that Participants may provide within a Program and an After Program include:
- (A) Names
- (B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- (C) All elements of dates (except year) for dates directly related to an individual, including birthdate, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- (D) Telephone numbers;
- (E) Fax numbers;
- (F) Electronic mail addresses;
- (G) Social security numbers;
- (H) Medical record numbers;
- (I) Health plan beneficiary numbers;
- (J) Account numbers;
- (K) Certificate/license numbers;
- (L) Vehicle identifiers and serial numbers, including license plate numbers;
- (M) Device identifiers and serial numbers;
- (N) Web Universal Resource Locators (URLs);
- (O) Internet Protocol (IP) address numbers;
- (P) Biometric identifiers, including finger and voice prints;
- (Q) Full face photographic images and any comparable images; and
- (R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and
- (ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
How Your Data Are Used
Visitors to the Service should expect that every piece of information they submit (even if it is not currently displayed), except for Restricted Data, may be displayed and shared with Partners and others. All visitors to the Service should be aware that the more information that is provided on the Service, the more likely it is that the visitor could be located or identified.
There are instances where both Shared Data and Restricted Data, including “individually identifiable health information” or “Protected Health Information,” may be used and/or disclosed, including without limitation, the following:
- Tiatros uses Shared Data, Restricted Data, and usage data internally for many purposes, including without limitation, as needed for product development; research; the maintenance, operation and improvement of the Service and the Programs and After Programs; and to create the best possible tools and functionality for visitors and Participants.
- Tiatros may use a Participant’s data, including Restricted Data, in the case of an emergency or other circumstance that we determine requires us to directly contact the Participant. We may also share a Participant’s data, including Restricted Data, if we determine that an emergency or other circumstance requires a clinician, first responder, family member, or other third party should directly contact the Participant.
- Tiatros may share or disclose a visitor’s or Participant’s data where required by law or to comply with legal process.
- In the event Tiatros goes through a business transition, such as a merger, acquisition by another organization, or sale of all or a portion of its assets, the Shared Data and Restricted Data, including Personal Information and Protected Health Information, might be among the assets transferred. Participants will be notified via this Service of any such change in ownership or control.
In addition to serving the individual needs of Participants, Tiatros and its Partners are interested in better understanding the patient experience as well as improving treatments and health outcomes for everyone. For example, we may look at questions such as, “Do certain treatments work better for some types of people versus others?” Tiatros provides Shared Data, in individual and aggregate format, to Partners and other third parties for use in scientific research; market research; and product improvement. When selling this information, Tiatros de-identifies and/or removes Participants’ Restricted Data to reduce the likelihood of re-identification prior to sharing information with Partners.
Tiatros may also periodically survey Participants about their experiences, including questions about our products and services. Survey responses are analyzed and may be shared with or sold to Partners. Member participation in these surveys is not required, and refusal to do so will not impact a Participant’s experience.
Tiatros may also report individual adverse event and drug safety information to the Food and Drug Administration, Centers for Disease Control, and/or other regulatory bodies (U.S. and international) as well as directly to pharmaceutical and biotechnology companies. Tiatros does not provide Restricted Data to such regulatory bodies, although we reserve the right to contact Participants for follow-up at the request of agencies or Partners. The information Tiatros reports may include, but is not limited to, all of the information about the Participant, which may include Shared Data as well as health data that Tiatros has de-identified.
In addition, certain areas within our Service, including without limitation, on the Program Area and the After Program Area, may be provided with the support of Partners. These Partners may have adverse event reporting requirements that relate to regulated products that are used by Participants of our community, and, if so, Tiatros assists such Partners with reporting adverse events to regulatory agencies.
Participants acknowledge and accept that any information shared through free text or images might be connected to Participants’ Shared Data (which may be shared with, sold to, or displayed for others). For example, if a Participant puts his or her name (or other Personal Information) into a free text field like the goals, CBT+ exercises, journals or group interactions, then the Participant should know this information may be included in what is shared with, displayed for, or sold to Partners.
How Restricted Data is Used
Restricted Data is not automatically shared with, sold to, or displayed for other Participants or Partners. Tiatros may share de-identified data that is extracted from Restricted Data with its Partners and others; provided that, in order to be de-identified data, health information, including Restricted Data, must be stripped of any elements that can be used to identify the individual Participant, his or her relatives, employers, or household members.
Other Security Issues
Tiatros cannot guarantee the identity of any other Participants with whom a Participant may interact in the course of using the Service, the Programs and Program Area, and the After Program and After Program Area or who may have access to a Participant’s Shared Data. Additionally, we cannot guarantee the authenticity of any data that Participants may provide about themselves. Finally, Participants should know that Tiatros takes commercially reasonable technical precautions to help keep Participant data secure.
Risks and Benefits
While our goal is to enable Participants to improve their health and achieve their goals, there are no certain benefits to using the Service, the Programs and Program Area, and the After Program and After Program Area.
There are no known risks to using the Service, the Programs and Program Area, and the After Program and After Program Area, but there is a possibility that users may feel uncomfortable sharing information online. It is possible that a Participant could be identified using information shared on Tiatros, and/or in conjunction with other data sources. A Participant could be discriminated against or experience repercussions as a result of the information he or she shares.
When using the Service, the Programs and Program Area, and the After Program and After Program Area, Participants are free to skip any non-required questions or data fields that make them feel uncomfortable. Participants are also free to stop using this Service at any time. If a Participant chooses to deactivate his/her account, Tiatros will not display or sell the data in that account as of the date of deactivation. However, the Participant’s data will remain in the system for auditing purposes, and research conducted prior to the deactivation of a Participant’s account will still include his or her data.
Tiatros Does Not Currently Comply with the EU-U.S. Privacy Shield Framework, the U.S.-EU Safe Harbor Framework, or the U.S.-Swiss Safe Harbor Framework
Tiatros does not currently comply with the EU-U.S. Privacy Shield Framework, the U.S.-EU Safe Harbor Framework, or the U.S.-Swiss Safe Harbor Framework as set forth by the United States Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland.