Confidentiality at Tidepool
In general, Tidepool is an extremely open organization. Part of our mission is to transfer as much of our knowledge, intellectual property and work product to the public as we can, because we feel like that's better for the diabetes community. Examples of things that we explicitly make public:
Our source code.
Our finances (e.g., tax returns, audit documents and other public filings).
Our regulatory quality system.
Our user interface designs.
Our product planning boards.
This Employee Handbook
Even with our commitment to openness, we don't make everything public. For example:
Code: Server configuration information is kept confidential.
Specifications: Most (if not all) of the device protocol specifications we have received from device makers are confidential.
Finances: We don't publish our bank account numbers or credit card info, details of every transaction we make, nor details of grants or contracts with partners.
Regulatory: There are tests related to system security that we keep secret. And passwords used to log in to test accounts that we keep secret.
Design: We occasionally are given design samples or other documents, such as from a device maker partner, with an expectation of confidentiality.
Product planning: We keep security issue planning private. We keep some internal planning documents private.
Meeting notes: We take copious meeting notes that we keep private, for both internal and external meetings.
Hiring: Information about interview candidates, including notes taken during the interview process, we keep private.
And, of course, we keep all of our user's Protected Health Information (PHI) confidential. As part of your onboarding, and then each year thereafter, you will be required to read HIPAA training and to undergo an audit of your computer and mobile devices. Our HIPAA training materials and audit template documents can be found here (internal-only).
In general, unless your job requires you to do so (e.g., for a project, or for debugging a specific issue, or for providing customer support), you should never make copies or publicly reveal any of our user's info, including names, email addresses or anything they store in their Tidepool account (on prd or int - which house our HIPAA-compliant data).
It may not always be obvious what is and is not confidential. If you are ever unsure, it's always best to assume that it is confidential and ask the Chief Privacy Officer (currently Howard).
The content of the Tidepool Employee Handbook is licensed under a Creative Commons CC0 1.0 Universal (CC0 1.0) Public Domain Dedication.