Effective Date: October 17, 2019

This website (the “Website”) is operated by PatientCentra (“Company”, “we”, “us” or “our”), a division of MD Connect, Inc., to describe our services and collect information from potential and existing Clients. We assist pharmaceutical companies, medical device companies and CROs (“Client(s)”, “You” or “Your”) with recruitment of individuals to participate in clinical trials, which may include production of patient-facing websites (“Recruitment Websites”) which collect and house data from individuals (“Patients”) who may become patients at a particular investigator site. This Privacy Policy more broadly describes our personal information collection procedures for this Website and Recruitment Websites (collectively “Websites”) and the choices available to You and Patients regarding our use and disclosure of Your and their personal information.

We collect, use, and disclose personal information You share with us directly or You voluntarily provide through Your use of this Website, regardless of how You access the Website or our services, which may be through the use of a mobile device. We also may collect personal information by means of phone or email conversations directly with You. By providing personal information to us directly or by using the Website, You are consenting to the terms and conditions of this Privacy Policy. Our use of information collected on this Website shall be limited to the purpose of educating existing and potential Clients about our services.

Security

At PatientCentra, we take the protection and security of our clients’ Personal and Sensitive Data very seriously and have invested heavily in infrastructure, policies and staff training to insure compliance with various global regulations (e.g. ICH E6/GCP, HIPAA/HITECH (US), GDPR (EU), APEC Cross Border Privacy, China CSL). We employ a series of physical, technical, and administrative security safeguards to reduce the risks of loss, misuse, unauthorized access, disclosure, or alteration which include, but are not limited to, the following:

  • Comprehensive policies & procedures (SOPs) governing data privacy and security
  • Quarterly security audits & yearly risk assessments
  • Background checks (civil & criminal) on all employees and subcontractors with Personal Data access
  • Contractual agreements (e.g. Business Associate Agreements (BAAs), Data Privacy Agreements (DPAs) and monitoring of any subcontractors with access to Personal or Sensitive Data to insure compliance commensurate with our Privacy Policies.
  • Training (initial & ongoing) of all employees on data privacy regulations and SOPs
  • Encryption of all Personal Data at rest or in transit
  • Maintenance of all Personal Data storage in Tier 3 data centers
  • Ongoing monitoring via Intrusion Detection System (IDS)
  • Periodic vulnerability/penetration testing of key portal servers
  • User access controls and limitations on key Personal Data-containing platform (Performance Portal) including 'no PHI' access roles and roles
  • Security incident monitoring & reporting
  • Data backup plan / disaster recovery plan

The Company uses reasonable measures to protect Your and Patients’ information, however, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. If You have reason to believe that Your interaction with us is no longer secure (for example, if You feel that the security of any account You have with us has been compromised), please notify us immediately by contacting privacy@patientcentra.com or by faxing Your notice to 781-235-0929.

Certified Privacy 

PatientCentra works closely with one of the world’s leading privacy regulatory consultants, TrustArc, to ensure our privacy programs are compliant with global regulations and privacy standards through a system of assessment, remediation, certification and ongoing monitoring. Our Recruitment Websites are certified with the broadly known TRUSTe seal which builds confidence and trust amongst Patients and Clients.

HIPAA / HITECH Compliance

Although data collected during the patient recruitment and pre-screening process by the Company may not constitute a patient medical record as defined by the Health Insurance Portability and Accountability Act (HIPAA), we understand that this data is nonetheless sensitive and treat it with all the appropriate security and privacy protections afforded Protected Health Information by both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

GDPR compliance / Privacy Shield

The Company participates in and has self-certified its compliance with the EU General Data Protection Regulation (GDPR). More can be found out about GDPR at https://eur-lex.europa.eu/eli/reg/2016/679/oj

The Company participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. The Company is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. [https://www.privacyshield.gov/list]

The Company is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Company complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Company is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, The Company may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Under certain conditions, more fully described on the Privacy Shield website [https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint], You may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

APEC compliance 

The Company has been certified by a leading regulatory consultancy (TrustArc) to have privacy practices meeting the Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processors (PRP) framework for data processors. More information on this can be found at https://www.trustarc.com/products/apec-certification/

Information Collected

When You visit our Website or contact us or we contact You, we collect personal information that You provide voluntarily. Most of our Recruitment Websites contain a Pre-Screening Questionnaire (PSQ) where we collect personal information when Patients answer questions on the website or we may collect personal information when we contact You by telephone or email. During Pre-Screening, The Company only collects personal information that is limited and necessary to evaluate Patients’ eligibility and qualifications for participation in our Sponsor’s current Study.

Personal Data

On this Website, we may collect and process Your Personal Data. In the provision of our services, The Company (Data Processor) processes Personal Data on behalf of its Client(s) (Data Controllers). Personal Data means any information relating to an identified or identifiable natural person (data subject).

Personal Data includes direct and indirect identifiers such as:

  • Name
  • E-mail address
  • Phone number
  • Address
  • IP address
  • Identification Number
  • Location Data (e.g. zip or postal codes)
  • On-line Identifier
  • Sensitive Data that may include one or more factors specific to physical, psychological, genetic, mental, economic, cultural or social identity of a natural person.

Sensitive Data

In the provision of our services, The Company (Data Processor) may process Sensitive Data on behalf of its Client(s) (Data Controllers). Sensitive Data is a special category of Personal Data that requires additional privacy and security protections. The collection of Sensitive Data is done at the direction of our Client(s) and is limited to specific and necessary Sensitive Data of potential clinical trial participants needed to determine eligibility for specific clinical trials or for potential Patients needed to determine appropriateness for a given medical practice.

Our Pre-Screening webpages require express consent of potentially eligible participants (e.g., website check box, participant voluntarily clicking ‘Submit’ button) before collection of any Personal Data that will be linked to any Sensitive Data (thereby making it identifiable).

Sensitive personal information that may be collected includes:

  • Medical conditions
  • Severity of condition
  • Medical test results
  • Age
  • Height & Weight
  • Lifestyle/habits (e.g. exercise, smoking)
  • Prior medical procedures
  • Medical symptoms
  • Ethnicity
  • Existing participation status or willingness to participate in a clinical trial
  • Choice of physician or medical clinic
  • Requested or actual appointment date and time

Uses and Disclosures of Information Collected

The Company uses and discloses Personal Data (including Sensitive Data) for a variety of purposes that are limited and necessary to the operation of our business and the delivery of services to You. These purposes include to:

  • Provide information to You to help you determine whether our services may be of benefit to You.
  • Reply to Your requests, inquiries and comments;
  • Contact You via land line phone, cell phone, email, text message (cell and data charges may apply);
  • Determine whether Patients may be eligible to participate in a Sponsor’s Study. During the recruitment period for a Study, we may provide a Patient’s screening information and contact information to one of our Sponsor’s investigator sites nearest to that Patient;
  • Provide our services and generally manage and administer our business including required records retention processes;
  • Develop and improve our services;
  • Respond to circumstances permitted or required by law, including defending and bringing legal actions; and
  • Ensure the security and integrity of our websites and operations.

The Company may disclose personal information collected through this Website to affiliated third party service providers, such as IT support services, customer service providers, and other services providers that support us and facilitate the services we provide to You. These companies are authorized to use Your Personal Data only as necessary to provide these services to us. For example, we use Google Analytics, a web analysis service provided by Google. Google utilizes the data collected to track and examine the use of our Websites, to prepare reports for us on website activities and share them with other Google services. However, Google Analytics offers an opt-out provision for website visitors who do not want their data to be collected. You can access more information about this option at http://tools.google.com/dlpage/gaoptout.

Google may also use the data it collects to contextualize and personalize the ads of its own advertising network. The Personal Data collected for this purpose is limited to cookie and usage data. You should refer to Google’s privacy policy for more details about their data privacy practices related to this usage.

The Company may disclose information to a third party in the event of a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings). You will be notified via email and/or a prominent notice on our website, of any change in ownership, uses of Your Personal Data, and choices You may have regarding Your Personal Data. Further, we may use and disclose information collected through the Website as we believe to be necessary or appropriate, including: (a) as permitted by applicable law; (b) to comply with legal process; (c) to respond to requests from public and government authorities; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, safety, or property, and/or that of our affiliates, You, or others; and (g) to allow us to pursue available remedies or limit damages that we may sustain. We may also disclose Your Personal Data to any other third party with Your prior consent.

The Company reserves the right to compile and use the Personal Data collected as described above, in a de-identified or anonymized format, i.e. no longer personally identifiable as defined by data privacy regulations, for data aggregation and data analytics purposes.

Passive Information Collection and Use

The Websites use a passive technology called “cookies” and other similar technologies. With cookies, we collect the IP (Internet protocol) addresses of all visitors to our Websites and other related information such as browser type, operating system and average time a visitor spends on our websites. The Company uses this information to help us understand our website activity and to monitor and improve our Websites. Cookies also provide information about You and Your preferences, and help us personalize Your experience on our Website. You can set Your web browser to notify You when cookies are being placed on Your system or to not accept cookies. However, if You decide not to accept cookies from our websites, You may not be able to take advantage of all of the features available to You on our Websites.

Our Website uses another passive technology called “internet tags” or “web beacons”. This technology allows us to understand which webpages You visit and helps us optimize and tailor our Websites to You and other future visitors. You can set Your browser to notify You when these passive technologies are being placed on Your system to not accept them.

We partner with third parties to display advertising on our website or to manage our advertising on other sites. Our third party partners may use cookies or similar technologies in order to provide You advertising based upon Your browsing activities and interests. If You wish to opt out of interest-based advertising click here [or if located in the European Union click here]. Please note You will continue to receive generic ads.

The Company also collects information from and about Your mobile device, such as a unique device identifier.

Unaffiliated Third Party Sites and Services

The Company may make unaffiliated 3rd party sites and services available to You and Patients to access. Access to these sites and services requires that You provide Your consent to the services or products offered by the unaffiliated 3rd parties before access is granted to the 3rd party sites. This Privacy Policy does not apply to the unaffiliated 3rd party sites and offerings. The 3rd party sites and offerings are governed by the Privacy Policy of the unaffiliated 3rd party. You should review their Privacy Policy before consenting to access their sites and offerings. The Company is not responsible for the personal information You provide to these unaffiliated third parties sites and offerings, including and without limitation to any third party operating any site, web property and/or application that is available to You through this Website or to which this Website contains a link. The availability of or inclusion of a link to any unaffiliated 3rd party site or products on the Website does not imply or serve as an endorsement of it, its services or products by The Company.

Use of Website by Minors

Use of this Website or our services is not generally directed to individuals under the age of 18, and we request that these individuals not provide Personal and/or Sensitive Data through the Websites or through our service providers unless identified as appropriate in the Pre-Screening criteria. However, there may be some Sponsors that are specifically seeking this age group. In such clinical trials or situations, parental consent may be required as part of the Pre-Screening process.

If personal information related to individuals under the age of 18 is identified and deemed inappropriate, reasonable steps will be taken to delete the information.

Choices and Access

By providing us with Your personal information, You are consenting to our collection, use and disclosure of Your personal information as described in this Privacy Policy.

Upon request the Company will provide You with information about whether we hold any of Your personal information. If You wish to change Your preferences about the personal information You provided to us or wish to withdraw Your consent to its retention, use or disclosure, please contact us at privacy@patientcentra.com or by faxing to 781-235-0929.

Please note that our response to Your request to withdraw consent is subject to legal or contractual restrictions and reasonable notice, including: (i) if You withdraw Your consent before we submit Your information to our Client’s clinical trial site, we will not submit it; (ii) if we receive notice of Your withdrawal after we have submitted Your information, You will need to contact the Client’s clinical trial site to withdraw Your consent to further use; (iii) where we have provided or are providing services to You, Your consent will be valid for as long as necessary to fulfill the purposes described in this Privacy Policy or otherwise stated at the time of collection.

If You would like to review, correct, update, or delete the personal information that You have provided via the Website, please contact us at privacy@patientcentra.com or by faxing to 781-235-0929. We will reply to Your request in a reasonable period of time not to exceed 60 days.

If You have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Retention Period

We retain Your personal information for the period necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or allowed by law or to otherwise fulfill a legal obligation.

Cross-Border Transfer

Your information may be processed in the country in which it was collected or transferred to other countries, including the United States (where our servers are generally located), for processing where laws regarding processing of information may be less stringent than the laws in Your country. By using this Website and our services, You consent to the transfer of Your personal information to countries outside of Your country of residence, including the United States.

Platform Data Collection

In the provision of our services, The Company (Data Processor) collects information under the direction of its Client(s) (Data Controller(s)) and processes information on our Client(s)’ behalf. We have no direct relationship with the individuals whose Personal Data we process. If You are a customer of our Client(s) or are a participant in a Client(s)’ clinical trial and would no longer like to participate and/or be contacted by our Client, please contact the Client directly.

We may also transfer Personal Data to companies that support us in providing our services for our Client(s). Such transfers to subsequent third parties are covered by the service agreements with our Client(s) and/or with The Company. Such contracts hold the Parties to standards of confidentiality and security consistent with this Privacy Policy.

The Company acknowledges that You have the right to access Your personal information. Individuals who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to the Company’s Client or the Company directly. If requested to remove data we will respond within a reasonable timeframe.

The Company will retain Personal Data we process on behalf of our Client(s) for as long as needed to provide services to our Client(s). The Company will retain this personal information for as long as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Updates to This Privacy Policy

This Privacy Policy may be revised from time to time. Any changes to this Privacy Policy will become effective when the changes are posted in a revised Privacy Policy on the Website. If we make any material changes, we will notify You by email (sent to the e-mail address specified in Your account) or by means of a notice on this website prior to the change becoming effective. Your continued voluntary provision of personal information or use of the Website following these changes serves as consent to the revised Privacy Policy.

Contacting Us

If You have any questions about this Privacy Policy, please contact us at privacy@patientcentra.com. or by faxing to 781-235-0929.

OP SOP03 APP10-V1