Global Data Privacy Policy

At HealthiVibe, LLC (HealthiVibe), we recognize that safeguarding sensitive and identifiable patient information is of critical importance. We acknowledge the responsibility that we assume whenever we handle identifiable information about any individual, as well as our legal obligations as they relate to data privacy laws and directives, including the Health Insurance Portability and Accountability Act (HIPAA) and ICH Good Clinical Practice (GCP). Please note that while HealthiVibe is not a covered entity under HIPAA, we abide by our clients’ best practices for HIPAA guidelines.

HealthiVibe complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (EU) to the United States. HealthiVibe has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov.

The intent of this privacy policy is to outline the types of personal information we process and in what context; how that information is used, protected and disclosed; and the rights of those individuals with respect to the information we collect.

HealthiVibe has enacted policies and training programs to support compliance with all applicable laws and this Policy. We follow strict processes for patient recruitment, communication, obtaining and analyzing data and the personnel/facilities used in our projects. Our policies and training programs are reviewed on a regular basis and managed with senior executive oversight.

Types of Information We Collect

HealthiVibe collects information on behalf of our clients in face-to-face and virtual interviews, focus groups and advisory boards, as well as through online patient surveys to support clinical trial activities. The company also collects and stores website visitor and client authentication information associated with the HealthiVibe and HealthiView websites.

Medical and Personal Data

Information collected may include medical or diagnostic data, such as conditions and comorbidities, as well as personally identifiable data such as name, phone number, address, and email for use in follow-up interviews. In all cases, personally identifiable data is stored separately from medical data. Medical data records are linked to personal data through the use of a non-identifiable patient code. Access to personal data is strictly controlled and restricted to authorized HealthiVibe project staff.

HealthiVibe also collects personal information directly from patients as part of an opt-in database service. This information may be collected through an online survey or as part of an opt-in request through the company website. Information collected may include the patient’s name, phone number, address, and email address, as well as self-reported data related to conditions and comorbidities, along with therapeutic areas of interest to the patient.

Client Website Authentication Data

HealthiVibe provides web-based access to de-identified patient survey data to clients through the HealthiView reporting platform. Client information collected and stored includes the user name, email address, and a hashed (encrypted) form of the user’s password to access the site.

Web Visitor Data

HealthiVibe may also collect, by means of our websites and web-based service offerings, non-personal information about a user’s technical configuration used to access HealthiVibe services. This may include browser and operating system versions, device manufacturer, IP address, referral address, and access time. This information is used to maintain and monitor quality of our websites and to provide general statistics regarding use of our services. In some cases, IP addresses may also be used to restrict access to previously-completed surveys.

The above information is maintained in our system logs for analytical purposes to improve our web pages or track for quantitative research data analytics. The logs may be kept indefinitely and used at any time and in any way necessary to prevent a security breach and to ensure the integrity of the data on our servers.

HealthiVibe websites may, in addition, use "cookies". Cookies are small text files stored directly on your device. These are used for purposes of maintaining certain aspects of session state between website or online survey visits.

Storage of Personal Information

HealthiVibe has in place security to protect any collected personally identifiable information, to prevent access to and misuse of that information or its loss or alteration.

Personally identifiable details of any collected data records are stored in encrypted form in a secure environment. Access to these records is restricted to authorized HealthiVibe project personnel only.

We implement strong security measures to protect personal or sensitive data collected. Although unlikely, if we experience a data breach or incident, we will take immediate action to stop the breach, mitigate any harm, communicate with all stakeholders impacted, and work closely with our partners to ensure any notifications follow applicable laws.

Retention and Disposal

HealthiVibe retains personal information according to a retention schedule specific to each project or the client’s best practice. Please refer to the project specific privacy notice for further information.

For data collected as part of our opt-in database service, patients may contact HealthiVibe to request removal of their data at any time.

Disclosures of Personal Information

Personal information may be shared within HealthiVibe, and with third parties only when such information sharing is specifically outlined in a project plan with a client on whose behalf the information has been collected.

HealthiVibe does not sell, trade or rent personally identifiable information to any third parties.

On an exceptional basis, we may disclose personal information for the following reasons:

  • When there is reasonable belief disclosure is required by law, including information requested by means of subpoena and court order.
  • Report of what appears to be illegal or fraudulent conduct to law enforcement authorities.
  • If the company at any point transfers assets or operations in connection with a sale, merger, bankruptcy, or other transaction, we may transfer personally identifiable information to the acquiring or merging entity. If so, we will make all reasonable efforts to require that personally identifiable information remains subject to essentially the same protections as contained in this Privacy Policy.

Notice and Consent

Notice will be provided to individuals whose personal data is being collected at the time of data collection. The notice will clearly describe how the information will be used and the circumstances under which it may be disclosed, as well as the individual’s informational rights under all applicable data privacy laws or under this Policy.

The specific form and content of the notice, as well as the mechanism for consent, will be dependent on the data collection medium and the purpose for which data is being collected. Notice may be given in person utilizing an informed consent form (paper or electronic); communication by telephone; over email; or through an online, context-specific privacy policy page made available for the individual’s review. Explicit consent is required for the collection of all personally identifiable information.

Children’s Data Privacy

We abide by laws designed to project children involved in our research. Any individual who requests information about participation must be 18 or over. We will not knowingly collect, use or disclose Personal Data from a minor under the age of 18, without obtaining prior consent from a person with parental responsibility (e.g., a parent or guardian).

Links to Third-Party Sites

Our websites and web-based services may contain links to third-party websites/ content/ services that are not owned or controlled by HealthiVibe. While we carefully evaluate third party vendors to ensure they follow the same principles and best practices outlined in this document, HealthiVibe is not responsible for how these properties operate or treat personal information.

Sharing your Personal Information with Third Parties

We may disclose personal information that HealthiVibe has collected or that was provided by you to:

  • Contractors and other third parties (i.e. recruitment or technology) utilized to support business (companies bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose the information).
  • Comply with any court ordered, law or legal process, including to respond to any government or regulatory request.
  • Protect and defend the rights of property of HealthiVibe (including the enforcement of our agreements).
  • To act in urgent circumstances to protect the personal safety of users or the public.
  • And for any other purposed disclosed by us when you provide the information and your consent.

HealthiVibe is liable for inappropriate transfers of personal data to third parties. HealthiVibe complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions. For more information, please review https://www.privacyshield.gov/article?id=3-ACCOUNTABILITY-FOR-ONWARD-TRANSFER.

In certain situations, HealthiVibe may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Additionally, HealthiVibe is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Your Personal Informational Rights

Participants have the right to access, modify or delete any personally identifiable information stored by HealthiVibe, and to withdraw consent for its use. Subject to applicable law, you also have the right to (i) restrict HealthiVibe’s use of Other Information that constitutes your Personal Data and (ii) lodge a complaint with your local data protection authority.

Requests may be made either by mail, phone or email, using the following contact information.

In compliance with the Privacy Shield Principles, HealthiVibe commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact HealthiVibe at:

Mail:
Chief Information Officer
HealthiVibe, LLC
4201 Wilson Boulevard,
#110-321, Arlington, VA 22203

Phone:
866.961.6400

Email:
privacy@healthivibe.com

This contact information will be communicated clearly to participants in a manner appropriate for the data collection medium, and will be prominently displayed in any privacy policy used within one of the company’s websites or web-based services.

Privacy Shield

HealthiVibe has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.

In compliance with the Privacy Shield Principles, HealthiVibe commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact HealthiVibe.

If you are a resident of the European Economic Area and believe we maintain your Personal Data within the scope of the General Data Protection Regulation (GDPR), you may direct questions or complaints to the lead supervisory authority in your country of residence. A link provided below for your convenience:

http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

Where a complaint cannot be resolved by any before mentioned recourse mechanism, individuals may have a right to invoke binding arbitration under the Privacy Shield Panel as a recourse mechanism.

To review our certification on the Privacy Shield list, see the US Department of Commerce’s Privacy Shield self-certification list located at:

https://www.privacyshield.gov/list

International Regulatory Compliance

HealthiVibe complies with all recommendations and guidelines of the EU-US Privacy Shield and General Data Protection Regulations (GDPR). As an additional safeguard and in response to the invalidation of the International Safe Harbor framework, HealthiVibe stores all personally identifiable information on EU-based servers in Frankfurt, Germany. The project team has strictly controlled and compartmentalized access to the data, as does the server administration team. Prior to project execution, HealthiVibe also abides by each country data regulations and implements projects accordingly.

Updates to this Policy

This Policy is effective as of 13DEC2018. HealthiVibe will review the policy on an annual basis or more frequently, and update the policy as needed to reflect changing business, legal and regulatory requirements in the United States and abroad.