The most common questions, we get about how we handle personal data and patient information can be found below:
Where are the patient data stored and are they encrypted?
Can patient data be stored on a dedicated server?
Can ExorLive use Active Directory?
Who is the controller of my data?
Is patient identifiable information used for any other purposes?
How often do you take backup of databases containing personal data?
How do you handle personal information of a child?
How do you handle a Personal Data Breach?
How do you limit access to patient data inside ExorLive and inside my account?
Privacy by Design - Built in Privacy
Who do I contact if I think there is a breach or have a complaint?
How do I limit the access to training programs in accordance with Health Information Privacy Laws?
What patient identifiable information is required to ensure that full functionality of the system is available?
We only need a unique ID per patient. You choose the type of ID to use.
As an example: First and last name is preferred, but not needed. Email is also preferred if you want to give the patient the exercise programme as an App.
>Where are the patient data stored and are they encrypted?
All data is replicated on multiple servers real-time, and Backups are stored on Microsoft Azure Servers located in Dublin, Ireland. ExorLive process and store data in accordance with current EU directives. The servers are administered by limited number of authorized technical personnel at ExorLive Headquarter in Oslo, Norway. Degree of anonymization can be chosen by the organisation. ExorLive encrypt data traffic through HTTPS.
Security in ExorLive is enforced by a strict security policy, and does not permit entities to be accessed or manipulated across organisations. Within the organisation, security is role based and users can be given administrative roles on a unit/department level.
The application is always accessed over SSL, safeguarding the information being exchanged between the client and the server from eavesdropping. ExorLive store only a hash of the user’s password, and when authenticating through ExorLive’s regular interface, salt, hashing, and a short lived challenge is used to ensure that message replay cannot be used to wrongfully gain access.
External services are required to use the SSL enabled endpoints to ensure transport security. The system provides integrity by ensuring that users are not able to insert or edit entities, they are not authorized for. Actions are logged.
Safety measures and procedures against external attacks: We are partners with Microsoft and keep our technical staff updated on the current system and security solutions; Through Azure, we ensure with Microsoft that
- Our services are always up to date on security and latest security patches
- Always running the latest version of important software
- Logging of all attempts at login
- Performance of manual vulnerability tests
ExorLive satisfies the requirement for built-in privacy. ExorLive is classified as a software in risk Class 1. This is the lowest risk class. We use single authentication for login unless otherwise is agreed upon.
Can patient data be stored on a dedicated server?
Patient data can be stored on a dedicated server. It can also be stored in your country/organisation on your dedicated server. This is a paid service in addition to the standard license fee.
Can ExorLive use Active Directory?
Yes. This is a paid service in addition to the standard license fee.
Whoever makes use of a cloud service for processing of personal data is the controller of personal data, even if the processing is carried out by a cloud service provider or its sub-contractors. The provider of the cloud service, and all of its sub-contractors hired for the processing, is the controller’s data processors.
The controller of personal data must, as a rule, ensure that there is a personal data processor agreement that meets the requirements of the Personal Data Act.
We usually sign the Personal Data Processor Agreement that the Organisation uses throughout the organisation.
Is patient identifiable information used for any other purposes?
No, we do not use identifiable information for any other purpose than the intended purpose.
How often do you take backup of databases containing personal data?
Backup is taken every night. Backup is stored for 1 year unless otherwise is agreed upon.
How do you handle personal information of a child?
The processing of personal data of a child shall be lawful, where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
We recommend that the parent receives the link to the exercise programmes for the child, or that the physiotherapist makes a note in the journal that the child can get direct access to the exercise programme, especially when this is given out as an app and not a print.
What are your interfaces for inputting patient information onto your system via links to existing systems and ensure that there is no duplication of data input?
You can read more about this here: http://developer.exorlive.com/api/
How do you handle a Personal Data Breach?
A personal data breach is reported to the supervisory authority within 72 hours. It is also reported to the person, if such a breach is likely to result in a high risk to the rights and freedoms of natural persons.
How do you limit access to patient data inside ExorLive and inside my account?
As an administrator, you are able to access several settings in the ExorLive administration panel, thus enabling you to adjust ExorLive to fit your organisation the best possible way. You can create departments in the desired number of levels and manage roles and rights. You can also upload different logos to each department within the same Organization.
Patient programmes can be locked/signed, i.e. only the creator and admin can access it. This is visible as an entry in ExorLive equivalent to the entry in a patient journal. You can also block departments for personal exercise programmes, per patient request, making the availability of the programmes limited. Share level options are also available.
All current actions are logged in the system and can be extracted as reports. For example, an activity log for a specified patient and an access log for a specified user (Instructor). You can read more about what you can do as an administrator to limit data HERE.
Privacy by Design - Built in Privacy
In ExorLive, the privacy is preserved as the default setting. In practice, this means that ExorLive's cookies are designed and developed with privacy as the default setting. Thus, the user is always informed of what information is processed, the purpose and who treats the information, as well as consent to this. Ref. Electronic Communications Act §2-7b
ExorLive has also adapted to the all new Privacy Policy that applies from 2018. Including data portability, the right to be forgotten and the right to not be profiled, unless you agree to it.
ExorLive is classified as a medical software in risk class 1, according to Medical Device Regulation, ISO 13485 and EU Directive 93/42/EEC. ExorLive is listed in The Norwegian Medicine's agency with number NO985542597/0886-54712. Personal data is stored on Microsoft Azure's servers in Ireland. Lagring av persondata skjer på Microsoft Azure server i Irland, which is in compliance with ISO 27001.
Who do I contact if I think there is a breach or have a complaint?
Our Support has the overall responsibility of all support cases, and evaluation of corrective actions and preventive actions (CAPA). E-mail: support@exorlive.com
Our Data Protection Officer has the overall responsibility for our safety procedures around personal data. E-mail: dpo@exorlive.com