CARIN Code of Conduct Attestation

We will:

• Maintain a prominent, plain-language Privacy Policy covering collection, consent, use, disclosure, individual access, security, and retention/deletion, including how we handle de-identified or pseudonymized data.
• Be clear about which uses and disclosures are required to operate the Service and which are optional. Users may decline any optional disclosure (such as AI processing of FHIR-imported data) and continue using core features.
• Disclose how data about third-party individuals (such as a care recipient whose information a caregiver enters) is handled, and the responsibilities of caregivers with respect to that data.
• Proactively notify users at least 30 days in advance of any material change to this policy and request affirmative re-consent before the change takes effect (see Material Changes in our Privacy Policy).
• Disclose that data collected via FHIR APIs is collected on a persistent basis (refreshed approximately every six hours) and identify the duration and how you can change it.
• Disclose any use of automated decision-making that could produce significant effects on a user. We do not use automated decision-making for housing, lending, employment, or insurance eligibility.
• Describe what happens to user data after the user withdraws consent and provide concrete options at the moment of withdrawal.
• Use the ONC Model Privacy Notice and the CARIN questionnaire as references for drafting and updating the policy.

We will:

• Obtain informed, proactive consent before importing any FHIR data, issuing a SMART Health Card, or creating a share token. The pre-action screen itemizes the scopes requested, the resources included, the recipients, the retention behavior, and how to revoke.
• Avoid default data sharing. Care-circle membership and AI processing of imported clinical data each require separate, explicit consent.
• Comply with the Children’s Online Privacy Protection Act (COPPA). The Service is not directed at children under 13 as account holders.
• Provide a central Privacy & Consent dashboard where users can see and revoke every active consent.
• Allow users to indicate the third-party recipients of any share. We do not pre-populate recipients and we do not auto-publish.
• On material changes, send advance notice and require affirmative re-consent — we do not treat continued use as consent to material changes.

We will:

• Contractually bind every subprocessor (listed at /legal/subprocessors) to commitments substantively similar to the ones in our Privacy Policy and to prohibit any use or disclosure inconsistent with those commitments.
• Limit collection of personal data to what the user has expressly consented to, and limit FHIR scopes to the minimum needed for each connector (e.g., Blue Button: Patient, ExplanationOfBenefit, Coverage).
• Not use or disclose personal data for any purpose not consistent with reasonable user expectations given the caregiving context.
• Not sell personal data, and not engage in targeted advertising.

We will:

• Provide users with the ability to view all data collected about them or about their care recipient, including imported FHIR data.
• Provide a clear “Report inaccurate data” control on imported FHIR records. Where the underlying error is in the source system (e.g., a Medicare claim), we educate users on their HIPAA right to request amendment from the covered entity that created the record and link out to the relevant process.
• Establish and communicate a clear policy for stale, inaccurate, or incomplete data, including how it is flagged for downstream recipients of share links.
• Honor the right to be forgotten: upon request and where not legally required to retain, securely dispose of a user’s personal data with respect to any future use or disclosure. The disconnect screen for any FHIR connection offers immediate deletion of the imported data, and any user may request full account deletion at any time.

We will:

• Follow safeguards appropriate for the personal data we hold, including AES-256-GCM encryption of sensitive fields at rest, TLS in transit, row-level security, PKCE-protected OAuth flows, HMAC-signed state tokens with short expirations, and administrative audit logs.
• Comply with the FTC Health Breach Notification Rule (16 C.F.R. Part 318) and any applicable state breach laws. Notice will be sent within 60 days of discovery (see Privacy Policy § Breach Notification).
• When requesting a copy of a user’s health data on the user’s behalf from a HIPAA covered entity, rely on a covered-entity-issued credential (e.g., Medicare.gov via Blue Button OAuth) so identity assurance is enforced by the source of the data, and clearly indicate TendTo as the destination. We are reviewing support for SMART on FHIR app launch and customer-acquired NIST IAL2/AAL2 credentials for non-Medicare connectors.
• Adopt internal policies and contractual commitments that prohibit re-identification of de-identified or pseudonymized data.
• Implement a dormant-account policy: warning email at 18 months of inactivity, suspension at 24 months, deletion at 30 months.

We will:

• Maintain provenance for clinical data we hold. FHIR Bundles we export include Provenance resources tagging each entry with its original source (the covered entity that produced it or the user who entered it) and the import timestamp, so downstream recipients can see where the data came from.

We will:

• Comply with all applicable federal and state laws.
• Designate a responsible executive officer for these commitments — see signature block below.
• Maintain a public process for collecting and responding to user complaints. We will acknowledge complaints within five business days and respond substantively within 30 days. Contact: [email protected]. If you are not satisfied with our response, you may also file a complaint with the U.S. Federal Trade Commission, your state Attorney General, or any other applicable authority.
• Train our staff on these principles and review compliance with them on a regular cadence.
• Notify the public if we obtain certification or accreditation under the CARIN Alliance Phase II questionnaire or Phase III independent accreditation (CARIN/EHNAC). To date we have completed Phase I (this attestation).

We will:

• Inform users about the choices, risks, benefits, and limitations of disclosing their personal health information through the Service. The first time a user connects a FHIR source or generates a SMART Health Card, we display educational copy and link out to authoritative third-party resources, including:
  • ONC: Access Your Health Information
  • CMS Blue Button 2.0
  • CARIN Alliance