Effective Date: October 17, 2019
At PatientCentra, we take the protection and security of our clients’ Personal and Sensitive Data very seriously and have invested heavily in infrastructure, policies and staff training to insure compliance with various global regulations (e.g. ICH E6/GCP, HIPAA/HITECH (US), GDPR (EU), APEC Cross Border Privacy, China CSL). We employ a series of physical, technical, and administrative security safeguards to reduce the risks of loss, misuse, unauthorized access, disclosure, or alteration which include, but are not limited to, the following:
- Comprehensive policies & procedures (SOPs) governing data privacy and security
- Quarterly security audits & yearly risk assessments
- Background checks (civil & criminal) on all employees and subcontractors with Personal Data access
- Contractual agreements (e.g. Business Associate Agreements (BAAs), Data Privacy Agreements (DPAs) and monitoring of any subcontractors with access to Personal or Sensitive Data to insure compliance commensurate with our Privacy Policies.
- Training (initial & ongoing) of all employees on data privacy regulations and SOPs
- Encryption of all Personal Data at rest or in transit
- Maintenance of all Personal Data storage in Tier 3 data centers
- Ongoing monitoring via Intrusion Detection System (IDS)
- Periodic vulnerability/penetration testing of key portal servers
- User access controls and limitations on key Personal Data-containing platform (Performance Portal) including 'no PHI' access roles and roles
- Security incident monitoring & reporting
- Data backup plan / disaster recovery plan
The Company uses reasonable measures to protect Your and Patients’ information, however, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. If You have reason to believe that Your interaction with us is no longer secure (for example, if You feel that the security of any account You have with us has been compromised), please notify us immediately by contacting firstname.lastname@example.org or by faxing Your notice to 781-235-0929.
PatientCentra works closely with one of the world’s leading privacy regulatory consultants, TrustArc, to ensure our privacy programs are compliant with global regulations and privacy standards through a system of assessment, remediation, certification and ongoing monitoring. Our Recruitment Websites are certified with the broadly known TRUSTe seal which builds confidence and trust amongst Patients and Clients.
HIPAA / HITECH Compliance
Although data collected during the patient recruitment and pre-screening process by the Company may not constitute a patient medical record as defined by the Health Insurance Portability and Accountability Act (HIPAA), we understand that this data is nonetheless sensitive and treat it with all the appropriate security and privacy protections afforded Protected Health Information by both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
GDPR compliance / Privacy Shield
The Company participates in and has self-certified its compliance with the EU General Data Protection Regulation (GDPR). More can be found out about GDPR at https://eur-lex.europa.eu/eli/reg/2016/679/oj
The Company participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. The Company is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. [https://www.privacyshield.gov/list]
The Company is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Company complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Company is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, The Company may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Under certain conditions, more fully described on the Privacy Shield website [https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint], You may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
The Company has been certified by a leading regulatory consultancy (TrustArc) to have privacy practices meeting the Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processors (PRP) framework for data processors. More information on this can be found at https://www.trustarc.com/products/apec-certification/
When You visit our Website or contact us or we contact You, we collect personal information that You provide voluntarily. Most of our Recruitment Websites contain a Pre-Screening Questionnaire (PSQ) where we collect personal information when Patients answer questions on the website or we may collect personal information when we contact You by telephone or email. During Pre-Screening, The Company only collects personal information that is limited and necessary to evaluate Patients’ eligibility and qualifications for participation in our Sponsor’s current Study.
On this Website, we may collect and process Your Personal Data. In the provision of our services, The Company (Data Processor) processes Personal Data on behalf of its Client(s) (Data Controllers). Personal Data means any information relating to an identified or identifiable natural person (data subject).
Personal Data includes direct and indirect identifiers such as:
- E-mail address
- Phone number
- IP address
- Identification Number
- Location Data (e.g. zip or postal codes)
- On-line Identifier
- Sensitive Data that may include one or more factors specific to physical, psychological, genetic, mental, economic, cultural or social identity of a natural person.
In the provision of our services, The Company (Data Processor) may process Sensitive Data on behalf of its Client(s) (Data Controllers). Sensitive Data is a special category of Personal Data that requires additional privacy and security protections. The collection of Sensitive Data is done at the direction of our Client(s) and is limited to specific and necessary Sensitive Data of potential clinical trial participants needed to determine eligibility for specific clinical trials or for potential Patients needed to determine appropriateness for a given medical practice.
Our Pre-Screening webpages require express consent of potentially eligible participants (e.g., website check box, participant voluntarily clicking ‘Submit’ button) before collection of any Personal Data that will be linked to any Sensitive Data (thereby making it identifiable).
Sensitive personal information that may be collected includes:
- Medical conditions
- Severity of condition
- Medical test results
- Height & Weight
- Lifestyle/habits (e.g. exercise, smoking)
- Prior medical procedures
- Medical symptoms
- Existing participation status or willingness to participate in a clinical trial
- Choice of physician or medical clinic
- Requested or actual appointment date and time
Uses and Disclosures of Information Collected
The Company uses and discloses Personal Data (including Sensitive Data) for a variety of purposes that are limited and necessary to the operation of our business and the delivery of services to You. These purposes include to:
- Provide information to You to help you determine whether our services may be of benefit to You.
- Reply to Your requests, inquiries and comments;
- Contact You via land line phone, cell phone, email, text message (cell and data charges may apply);
- Determine whether Patients may be eligible to participate in a Sponsor’s Study. During the recruitment period for a Study, we may provide a Patient’s screening information and contact information to one of our Sponsor’s investigator sites nearest to that Patient;
- Provide our services and generally manage and administer our business including required records retention processes;
- Develop and improve our services;
- Respond to circumstances permitted or required by law, including defending and bringing legal actions; and
- Ensure the security and integrity of our websites and operations.
The Company may disclose personal information collected through this Website to affiliated third party service providers, such as IT support services, customer service providers, and other services providers that support us and facilitate the services we provide to You. These companies are authorized to use Your Personal Data only as necessary to provide these services to us. For example, we use Google Analytics, a web analysis service provided by Google. Google utilizes the data collected to track and examine the use of our Websites, to prepare reports for us on website activities and share them with other Google services. However, Google Analytics offers an opt-out provision for website visitors who do not want their data to be collected. You can access more information about this option at http://tools.google.com/dlpage/gaoptout.
The Company may disclose information to a third party in the event of a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings). You will be notified via email and/or a prominent notice on our website, of any change in ownership, uses of Your Personal Data, and choices You may have regarding Your Personal Data. Further, we may use and disclose information collected through the Website as we believe to be necessary or appropriate, including: (a) as permitted by applicable law; (b) to comply with legal process; (c) to respond to requests from public and government authorities; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect our rights, privacy, safety, or property, and/or that of our affiliates, You, or others; and (g) to allow us to pursue available remedies or limit damages that we may sustain. We may also disclose Your Personal Data to any other third party with Your prior consent.
The Company reserves the right to compile and use the Personal Data collected as described above, in a de-identified or anonymized format, i.e. no longer personally identifiable as defined by data privacy regulations, for data aggregation and data analytics purposes.
Passive Information Collection and Use
The Websites use a passive technology called “cookies” and other similar technologies. With cookies, we collect the IP (Internet protocol) addresses of all visitors to our Websites and other related information such as browser type, operating system and average time a visitor spends on our websites. The Company uses this information to help us understand our website activity and to monitor and improve our Websites. Cookies also provide information about You and Your preferences, and help us personalize Your experience on our Website. You can set Your web browser to notify You when cookies are being placed on Your system or to not accept cookies. However, if You decide not to accept cookies from our websites, You may not be able to take advantage of all of the features available to You on our Websites.
Our Website uses another passive technology called “internet tags” or “web beacons”. This technology allows us to understand which webpages You visit and helps us optimize and tailor our Websites to You and other future visitors. You can set Your browser to notify You when these passive technologies are being placed on Your system to not accept them.
The Company also collects information from and about Your mobile device, such as a unique device identifier.
Unaffiliated Third Party Sites and Services
Use of Website by Minors
Use of this Website or our services is not generally directed to individuals under the age of 18, and we request that these individuals not provide Personal and/or Sensitive Data through the Websites or through our service providers unless identified as appropriate in the Pre-Screening criteria. However, there may be some Sponsors that are specifically seeking this age group. In such clinical trials or situations, parental consent may be required as part of the Pre-Screening process.
If personal information related to individuals under the age of 18 is identified and deemed inappropriate, reasonable steps will be taken to delete the information.
Choices and Access
Upon request the Company will provide You with information about whether we hold any of Your personal information. If You wish to change Your preferences about the personal information You provided to us or wish to withdraw Your consent to its retention, use or disclosure, please contact us at email@example.com or by faxing to 781-235-0929.
If You would like to review, correct, update, or delete the personal information that You have provided via the Website, please contact us at firstname.lastname@example.org or by faxing to 781-235-0929. We will reply to Your request in a reasonable period of time not to exceed 60 days.
If You have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Your information may be processed in the country in which it was collected or transferred to other countries, including the United States (where our servers are generally located), for processing where laws regarding processing of information may be less stringent than the laws in Your country. By using this Website and our services, You consent to the transfer of Your personal information to countries outside of Your country of residence, including the United States.
Platform Data Collection
In the provision of our services, The Company (Data Processor) collects information under the direction of its Client(s) (Data Controller(s)) and processes information on our Client(s)’ behalf. We have no direct relationship with the individuals whose Personal Data we process. If You are a customer of our Client(s) or are a participant in a Client(s)’ clinical trial and would no longer like to participate and/or be contacted by our Client, please contact the Client directly.
The Company acknowledges that You have the right to access Your personal information. Individuals who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to the Company’s Client or the Company directly. If requested to remove data we will respond within a reasonable timeframe.
The Company will retain Personal Data we process on behalf of our Client(s) for as long as needed to provide services to our Client(s). The Company will retain this personal information for as long as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.