Terms of Use

The ACU-Track Clinical Outcomes Registry for Acupuncture and Traditional East Asian Medicine

hosted by Amplitude Clinical

The ACU-Track registry helps practitioners, clinics and organisations demonstrate the results of their clinical practice, by enabling them to track and record their patient’s clinical outcomes using remote health questionnaires and Patient Reported Outcome Measures (PROMs) online. It also allows practitioners to collect and store all their patient’s personal information, sensitive health data and clinical notes in one secure system.

By using our registry, practitioners will be supporting essential real-world research into Acupuncture and Traditional East Asian Medicine (TEAM) and will be directly contributing towards building a stronger evidence base for the profession. Our registry is capable of providing healthcare stakeholders with validated data on how much better patients can expect to get when they receive acupuncture and TEAM treatment, for which conditions, and for what cost. ONLY anonymised data will ever be used for this purpose.

All practitioner and patient data is collected and stored according to GDPR and other relevant international guidelines and is handled with the highest level of security and care. Before subscribing to the ACU-Track registry, as hosted by Amplitude Clinical, we ask that you please read and agree to abide by our Terms of Use.

 

ACU-Track Registry Terms of Use V1.2

If you are a practitioner or clinic interested in subscribing to ACU-Track, you may have questions about what data we collect and how we use it. Our Terms of Use describe clearly and explain exactly what data we collect from subscribers and system users, how it is stored, processed and who has access to it. All user data is collected and stored according to GDPR and other relevant international guidelines and is handled with the highest level of security and care.

If you decide to subscribe to the ACU-Track registry, as hosted by Amplitude Clinical, we ask that you please read the following information and agree to abide by our Terms of Use.

For US or other users bound under Health Insurance Portability and Accountability Act (HIPAA), these terms constitute the Business Associate Agreement (BAA) between ACU-Track/Amplitude Clinical and the client. These terms here relate to the Privacy, Security, Breach Notification, and Enforcement Rules as found in 45 CFR Part 160 and Part 164. The terms ‘business associate’, ‘covered entity’ and ‘Electronic Protected Health Information’ (ePHI) are defined according to the 45 CFR 160.103.

The term ACU-Track/Amplitude Clinical/Registry or ‘us’ or ‘we’, ‘our’ or ‘Business Associate’ refers to the owner/s of the website/registry.

The term ‘client’, ‘user’, ‘you’, ‘practitioner’, ‘clinic’ or ‘covered entity’ refers to the user of our registry.

The term Trusted Registry Partners (TRPs) refers to organisations/individuals granted permission to access anonymous registry data only. TRPs are typically academic/research institutions or independent researchers with an academic affiliation. All TRPs are bound by these terms.

Please get in touch if you have any further questions or wish to clarify any information: enquiries@acu-track.org

 

Data Roles and Responsibilities

  • You (the practitioner/clinic) are the DATA OWNER and CONTROLLER of your own patient data and are responsible for the protection of your patient’s personal and health data according to your national data regulations/laws and must act in accordance to this whenever accessing, downloading or transporting your clinical data.

  • Amplitude Clinical are the DATA CONTROLLERS of identifiable subscriber and practitioner data.

  • Amplitude Clinical are DATA PROCESSORs of identifiable practitioner data for account management purposes and are responsible for protecting access to your identifiable information.*

  • Amplitude Clinical are DATA PROCESSORs of identifiable patient data/Protected Health Information (PHI) for account management purposes only.

  • Amplitude Clinical and Trusted Registry Partners (TRPs) may be DATA PROCESSORs of anonymised, non-directly identifiable practitioner and patient data for auditing and research purposes.

All practitioner and patient data is collected and stored according to GDPR, HIPAA or other relevant international guidelines and is handled with the highest level of security and care. Only anonymous clinical data, collected via the registry, may be used and aggregated for auditing and research purposes. All directly identifiable practitioner or patient data (PHI) entered into the registry will be treated as strictly confidential, and will never be used in any research, or shared with any third parties without both the patient and practitioner’s express permission. As this implies, we will not share this data with insurance companies, membership organisations, private businesses including the health industry, the NHS or any government department (unless forced to do so by law in extreme circumstances such as during a criminal investigation). You will be notified in the rare and unlikely event of a data security breach where PHI information may have been implicated.

*In instances where Trusted Registry Partners (TRPs) and/or affiliates are involved in the active recruitment/management of practitioner system users they may also be data processors of identifiable practitioner user data for account management purposes only and are responsible for protecting access to this data.

 

Our obligations under HIPAA

Amplitude is fully GDPR and UK Data Protection Regulations compliant – considered the “toughest privacy and security law in the world” (gdpr.eu, 2022), we are confident that the stringent parameters set out by the globally recognised GDPR framework will offer our local and international customers the peace of mind that Amplitude operates under the strictest personal data protection guidelines.

Although not officially HIPAA certified, Amplitude’s GDPR certification assures broad-spectrum personal data protection, which by definition includes “protected health information” (PHI) in accordance with HIPAA requirements (govinfo.gov, 1996; cdc.gov, 2018). We use the appropriate procedural and technical safeguards to protect ePHI according to Subpart C of 45 CFR Part 164.

We will report the details of any breach of ePHI to you, where any ePHI has been, or is reasonably believed to have been, accessed, acquired or disclosed according to 45 CFR 164.410. The ‘Non-Breaching Party’, upon receiving knowledge of a breach of this BAA relating to ePHI by the other the ‘Breaching Party’, shall provide by notice an opportunity for the Breaching Party to resolve the breach within 30 days of such notice. If a resolution to breach is not possible, the ‘Non-Breaching Party’ is entitled to terminate this BAA and their subscription with immediate effect.

We will document any such disclosures of PHI and respond to any request from you to disclose this information within 30 days in accordance 45 CFR 164.528(b)(2).

In the event that we enter an agreement for any third parties or subcontractors to process ePHI, we will enter into a written agreement to ensure they process ePHI in accordance with the same standards and level of security as outlined in this BAA according to 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2).

We will respond to a request by you (the covered entity) for a designated record of your ePHI and clinical records, within 30 days under 45 CFR 164.524.

We may de-identify ePHI in accordance with 45 CFR 164.514(a)-(c), and process such data in the ways outlined above.

We may update our terms and BAA occasionally. In such instances any changes will be communicated with you directly by email including a summary of the changes and a link to the updated terms which will be displayed on our website. There will be a time period of 30 days before any changes of terms come into effect in order to give you reasonable time to acknowledge (updates to terms will not apply retroactively). After which, should you continue to use your subscription and access your account, this will be taken to mean you are agreeing to the updated terms. If you do not wish to be bound by the updated terms then you should NOT continue to use your account and contact us to discuss cancelling your subscription.

 

ACU-Track Registry Technical Infrastructure

The ACU-Track Registry is hosted by Amplitude Clinical, who take the security of the data it processes, on behalf of their customers, extremely seriously.  As such, the registry deploys the highest levels of security features and is compliant with GDPR and other international data protection regulations. Registry data is hosted on Azure; Microsoft’s Cloud hosting solution, a secure cloud network hosted over two UK locations for resilience.

In all cases, the transmitting of data between the client browser and the Azure cloud infrastructure, is handled via secure sockets (HTTPS), ensuring encrypted transmission of data at all times. ‘redcentric’ is Amplitude’s hosted cloud provider, connecting to the Azure cloud platform.

Annual independent penetration testing at the application level is carried out to ensure a strong security posture.  Amplitude Clinical engaged with Mitigate Cyber in 2021 in order to assess the overall security posture of their environment. Based on Amplitude Clinical’s risk profile, primary security concerns and the vulnerabilities identified at the point of the engagement, Mitigate Cyber found that overall, the security of the Amplitude systems was found to be excellent.  Next testing is now scheduled for 2022/23.

Accreditation

  • Amplitude is an accredited supplier of National PROMs to NHS Digital.

  • Amplitude has achieved “Standard Exceeded” for the Data Security & Protection (DSP) Toolkit: https://www.dsptoolkit.nhs.uk/OrganisationSearch/YGMXG

  • Amplitude is registered with the ICO under the Data Protection Act 2018 with registration = Z3538831

  • Amplitude is accredited with Cyber Essentials Plus

For more information about Amplitude Clinical’s data security, and to view their security certificates please see their website: https://amplitude-clinical.com/information-governance-information/

Or please contact them for more details: customer.support@amplitude-clinical.com

 

 

What Data is Collected?

Practitioner/Clinical Data

We collect identifiable data from practitioner/clinic users in order to manage, monitor and verify accounts/payments as well as to ensure we keep a record of all of our clients/subscribers, which we are bound to do by law. On registration, we ask practitioners to complete a practitioner profile, providing information about practitioner’s professional memberships to ensure they are valid healthcare professional users.

Once registered, all data is collected and securely stored via the ‘ACU-Track Registry’. Once using the system, practitioners have the ability to record their clinical notes and patient records using standardised form templates. This practitioner data is collected and securely stored on the ACU-Track Registry. We will under no circumstances produce any kind of report/analysis/publication of a specific practitioner, clinic or organisation’s data in isolation or comparison to another’s, without their express permission.

 

Patient Data

Through normal operation the system, identifiable patient data (including names, date-of-birth and contact details) is collected from patient users in order to communicate, verify, manage and monitor accounts, also, permissions and consent, which we are bound to do by law. We also collect communication details in order to send occasional remote health questionnaires by email on behalf of their healthcare practitioner. All patient data is exclusively collected and securely stored on ‘The ACU-Track Registry’.

Only with each patient’s express permission and consent do we collect the following patient clinical data:

  • Gender

  • BMI

  • Information about the patients’ medical history and medication use

  • Clinical outcomes scores via remote health questionnaires.

  • Information of patient satisfaction with care.

  • Information on any adverse effects experienced by the patient during their course of treatments/care.

The ACU-Track registry hosts a number of validated Patient Reported Outcome Measures (PROMs) for users to help monitor patient progress. ACU-Track subscribers are licensed and permitted to use each of these measures within the Registry.

 

What Registry Data is Processed?

Data for Auditing, Research and Analysis

All data collected via the system is done as “part of routine clinical practice”. This means that we do not ask or request patients or practitioners to provide/collect any additional information that they would not ordinarily do within their role as healthcare professionals. Typically, an analysis of this type of data falls within the remit of a “clinical audit” rather than “experimental research” although registry data may be used to answer specific research questions. ONLY anonymous data collected via the ACU-Track Registry may be processed and analysed for auditing/research purposes (unless the express permission of the patient and practitioner is otherwise granted). Only approved Trusted Registry Partners (TRPs) may be granted access to anonymous registry data for auditing or research purposes. All TRPs are required to seek independent ethics approval prior to processing any data for auditing/research purposes. Analysis of registry data may look to explore but is not limited to:

  • Short and long-term clinical outcomes

  • Cost-effectiveness

  • Differences in clinical outcomes for a wide range of health complaints

  • Safety and adverse effects

  • Specific and non-specific factors (are specific patient variables (medical history, age etc.) or practitioner variables (experience level, styles/techniques used) associated with different treatment outcomes?)

  • Clinical demographics

Re-contacting

Any research proposal which would involve contacting a practitioner or patient user directly to collect more information must go through a recognised ethics approval committee to ensure permission is granted prior to any research being undertaken. With your permission, Amplitude Clinical and/or trusted registry partners may occasionally re-contact you to ask if you or your patients are interested in participating in any further research. Examples of such research may include collecting more in-depth information about the care provided or received.

 

ACU-Track Audit, Research and Publication Policy

All published studies (auditing and research) using anonymised data from the ACU-Track Registry, by individual practitioner users and/or organisations, must be done in accordance with our Terms and Conditions and the ACU-Track Publication Guidelines. Additionally, all such studies, research and analysis using registry data, must adhere strictly to rigorous research standards and principles and seek prior ethics approval if applicable. Any studies or papers using anonymised data collected by the ACU-Track registry will be listed on the ACU-Track website: https://www.acu-track.org/

 

User Terms and Responsibilities

Security and Account Access:

  • You will protect access to your user account and act in accordance to GDPR, HIPAA or other relevant data security guidelines whilst operating your account.

  • You will ensure the appropriate security of your login details and protect the access to your user account and sensitive patient data.

  • You will contact Amplitude Clinical immediately and change your password should you suspect a breach of security.

  • You will not create additional user accounts for the purpose of abusing the functionality of the Site, the App or any Content, or other Users, or to seek to pass yourself off as another User.

  • You only grant access to appropriate “delegates” and/or “admin” individuals in your user account, and that you ask your patients for express permission before you share their clinical data with a new “delegate”.

  • You acknowledge that we have the right, at our sole discretion, to terminate your account, or limit/deny access to your account if we believe you have acted against our terms of use.

 

Closing your Account, Data Storage and Deletion:

  • Your participation in the ACU-Track registry is voluntary, and you are free to stop entering any further clinical data into the registry and at point.

  • You have the right to export your clinical data from the system at any time and in the event you choose to close and/or your account.

  • You have the right to either close or delete your practitioner user account once your subscription has ended. Closed accounts may be re-activated in the future; however account deletion is permanent and cannot be undone. In such cases we recommend to extract a copy of your clinical data prior to account deletion for your records.

  • You acknowledge that should you decide to end your subscription, anonymous clinical data previously collected via the registry may have been previously used and/or published for auditing or research purposes.

  • You understand that you and your patient’s clinical data may remain stored on the registry even in the event that you end your subscription.

  • You have the right to delete patient data/records from the registry for legitimate purposes. These purposes may include deletion of: duplicate/test patients, old patient data, patient requests to delete records under GDPR right to erasure. Regular deletion/editing of patient data/outcomes scores due to patients submitting negative scores is considered to be a violation of our Terms of Use, and is potentially a violation of data protection laws in your country.

  • You understand that we reserve the further right to terminate any User account with no prior notice, including the deletion of any stored content contained within the account, in the case where an account and previous subscription has been inactive for a period of over 12 months OR where our Terms of Use have been clearly violated.

 

Patient Consent:

  • The ACU-Track registry will automatically ask each new patient for their consent prior to entering any clinical information into the system. It is your responsibility to ensure that explicit consent is sought, given and recorded for each patient who enters clinical information into the system.

  • You understand that failure to correctly indicate the acquisition of consent may lead to the anonymisation/deletion of all identifying data linked to a patients’ records.

  • You are responsible for indicating a patient’s consent where this is done non-electronically and may be required to provide proof.

  • You are responsible for taking the appropriate actions should a patient subsequently withdraw their consent for; being contacted, data processing and/or data storage.

  • Amplitude Clinical will always provide all users with the appropriate support in the event that a patient withdraws their consent, requests their data is deleted or requests a copy of their clinical records.

 

Appropriate Use and Data Management:

  • You are an Acupuncture and/or Traditional East Asian Medicine (TEAM) healthcare practitioner over the age of 18, and you hold all the necessary qualifications, insurance and licenses to practice legally in your country.

  • You will endeavour to record only clinically necessary and appropriate data under the remit of normal practice activity for a healthcare professional.

  • You will endeavour that all data collected will be accurate and up to date.

 

Extraction and Publication of Data

  • Any clinical information that is extracted from the registry via reports is done so for appropriate uses only. This may include but is not exclusive to clinical auditing, research and/or teaching purposes.

  • Only users with the relevant permitted access rights can extract and process patient data from the registry (this may include clinic reception/admin staff users)

  • The ACU-Track registry hosted by Amplitude Clinical must be acknowledged as the source of the data whenever any data collected via the registry is used in any publication or press release (including electronic versions).

  • The author must contact and inform ACU-Track prior to publishing any data, and all published data must adhere to the ACU-Track Publication Guidelines.

  • You must seek the express formal approval of a research ethics committee prior to using any registry data for research purposes (this does not include routine clinical audits).

 

General Registry Website Terms

  • The content of the pages on the ACU-Track Registry website are for your general information and use only. It is subject to change without notice.

  • This website contains material which is owned by or licensed to us. This material includes, but is not limited to, the design, layout, look, appearance, logo’s and graphics. Reproduction is prohibited other than in accordance with the copyright notice, which forms part of these terms and conditions.

  • All trademarks reproduced in this website, which are not the property of, or licensed to the operator, are acknowledged on the website.

  • Unauthorised use of this website may give rise to a claim for damages and/or be a criminal offence.

  • From time to time, this website may also include links to other websites. These links are provided for your convenience to provide further information. They do not signify that we endorse the website(s). We have no responsibility for the content of the linked website(s).

  • Your use of this website and any dispute arising out of such use of the website is subject to the laws of the UK.

  • Unauthorised access to this system is an offence.

 

Disclaimer

  • Every effort is made to keep the Registry website up and running smoothly. However, The ACU-Track registry takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

  • The listing of suppliers' components in the ACU-Track registry database does not indicate the approval of such components by the registry or any regulatory body.

  • You give the Amplitude Clinical Support Team rights to correct any incorrect patient data in your system that is directly prohibiting the patient accessing their portal (e.g. date of birth correction).

 

Copyright Notice

The ACU-Track registry website, database and its content are copyright of ACU-Track and/or Amplitude Clinical.  All rights reserved.  Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following. You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.

Your Subscription and Payment

  • You will be instructed to set up your direct debit mandate via a third-party payment partner (GoCardless) to pay for your subscription. You can choose whether to pay monthly or annually. Your account can only be activated, once you have set up your direct debit.

  • Whether paying annually or monthly, the minimum contract term is for one year, should you wish to cancel before your subscription has expired, you will be charged for remainder of the period.

  • Whilst your ACU-Track account supports a document upload feature, there is also a limited document upload capacity per user. We will notify you in the event you exceed the document upload limit, in which case there will be a small additional charge for extra document upload volume should you need it.

  • Your subscription will auto-renew annually. If you do not wish to renew your subscription, you must give us at least 30 day’s notice prior to cancelling your subscription.