Dan Toffling is co-founder and Chief Technology Officer of Folia Health. The Toffling family’s experience in caregiving inspired Dan to join Nell in starting Folia. Read more about how they’ve learned to break down barriers for their daughter, Mila.

Folia: As CTO of an early stage start-up, you wear a lot of hats, not the least of which is data privacy and security.  Start us off with the difference between the two.

Dan: Privacy involves the patient’s right to decide who has access to his/her data, and the policies around how that is handled at an organizational level. Security involves protecting data and user accounts through controls, technology, and processes. To use the analogy of your local bank, privacy involves your right to keep information about your accounts and transactions confidential and clarifies who has access to it, and security involves the building design, security staffing, policies around checking identification in order to access accounts, etc.  

F: Why are privacy and security so important at Folia?

D: Not only do we have to adhere to standards legislated under HIPAA (Health Insurance Portability and Accountability Act), but we understand that Folia members are entrusting us with very personal and sensitive information, often during some of the most stressful and difficult times in their lives. Several of us at Folia use Folia to track our own data or our children’s data, so we sit at the receiving end of good privacy and security practices as well.

F: What are some of Folia’s practices with regard to data security?

D: We use industry best practices, such as multi-factor authentication, business associate agreements (BAAs) with vendors (such as email, data storage, etc.), virtual private networks (VPNs), etc. to ensure our systems are as secure as possible. 

On the human front, we have an in-depth security policy that all employees review several times a year. We also adopt practices such as limiting data access only to employees who require it to perform their job responsibilities, ensuring no protected health information (PHI) is stored on individual laptops, and enforcing a clean desk policy so no PHI is ever left exposed on someone’s desk or on the screen of an unlocked laptop.  

F: Tell us about privacy and security practices with regard to Folia’s research initiatives?

D: Folia members have the opportunity to opt-in or opt-out of sharing their data with their clinic and/or research initiatives. It is always an individual choice.  

If you opt-in to research partnerships, data is de-identified and aggregated. This means that identifiable information (names, contact information, email addresses, etc.) are never shared with third parties, and datasets are reviewed by researchers as a whole (not at an individual level).

Any research initiative that would match your Folia data with other health data would require an additional opt-in so users can provide explicit permission for their data to be used in that way. We also have restrictions on what research partners can do with Folia data.


Foundational to Folia is the idea that patients and caregivers have the power to transform care for themselves and the broader patient community, and that is the north star that guides how we operate and grow this company. 

We commit to only engaging in research partnerships that benefit how patients receive care. For transparency, we will publish descriptions of all active research projects, and once research projects are completed we will publish the names of the research partners.

We invite other health data companies to join us in setting this new standard for transparency and true patient empowerment. Join the dialogue!