At HealthiVibe, a division of CorEvitas, LLC (HealthiVibe), we recognize that safeguarding sensitive and identifiable patient information is of critical importance. We acknowledge the responsibility that we assume whenever we handle identifiable information about any individual, as well as our legal obligations as they relate to data privacy laws and directives, including the Health Insurance Portability and Accountability Act (HIPAA), the European Union (EU) General Data Protection Regulation (GDPR) and International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use (ICH) Good Clinical Practice (GCP). Please note that while HealthiVibe is not a covered entity under HIPAA, we abide by our clients’ best practices for HIPAA guidelines.
HealthiVibe has enacted policies and training programs to support compliance with all applicable laws and this Policy. We follow strict processes for patient recruitment, communication, obtaining and analyzing data, and the personnel/facilities used in our projects. Our policies and training programs are reviewed on a regular basis and managed with senior executive oversight.
Types of Information We Collect
HealthiVibe collects information on behalf of our clients in face-to-face and virtual interviews, focus groups and advisory boards, as well as through online patient surveys to support clinical trial activities. The company also collects and stores website visitor and client authentication information associated with the HealthiVibe and HealthiView websites.Medical and Personal Data
Information collected may include medical or diagnostic data, such as conditions and comorbidities, as well as personally identifiable data such as name, phone number, address, and email for use in follow-up interviews. In all cases, personally identifiable data is stored separately from medical data. Medical data records are linked to personal data through the use of a non-identifiable patient code. Access to personal data is strictly controlled and restricted to authorized HealthiVibe project staff. To the extent permitted by applicable law, we may use, process, transfer, and store this information in an anonymous (or pseudonymous) and aggregated manner.
HealthiVibe also collects personal information directly from patients as part of an opt-in database service. This information may be collected through an online survey or as part of an opt-in request through the company website. Information collected may include the patient’s name, phone number, mailing address, and email address, as well as self-reported data related to conditions and comorbidities, along with therapeutic areas of interest to the patient. This information is collected to help our clients gain a better understanding of patient perceptions, attitudes and preferences related to disease, treatment options, trial participation, etc., to help our clients, among other things, to improve the patient experience.Client Website Authentication Data
HealthiVibe provides web-based access to de-identified patient survey data to clients through the HealthiView reporting platform. Client information collected and stored includes the user name, email address, and a hashed (encrypted) form of the user’s password to access the site.Web Visitor Data
HealthiVibe may also collect, by means of our websites and web-based service offerings, non-personal information about a user’s technical configuration used to access HealthiVibe services. This may include browser and operating system versions, device manufacturer, IP (Internet Protocol) address, referral address, and access time. This information is used to maintain and monitor quality of our websites and to provide general statistics regarding use of our services. In some cases, IP addresses may also be used to restrict access to previously-completed surveys.
The above information is maintained in our system logs for analytical purposes to improve our web pages or track for quantitative research data analytics. The logs may be kept indefinitely and used at any time and in any way necessary to prevent a security breach and to ensure the integrity of the data on our servers.
HealthiVibe websites may, in addition, use “cookies.” Cookies are small text files stored directly on your device. These files are used for purposes of maintaining certain aspects of session state between website or online survey visits.
Storage of Personal Information
HealthiVibe has security in place to protect any collected personally identifiable information to prevent access to and misuse of that information or its loss or alteration.
Personally identifiable details of any collected data records are stored in encrypted form in a secure environment. Access to these records is restricted to authorized HealthiVibe project personnel only.
We implement strong security measures to protect personal or sensitive data collected. Although unlikely, if we experience a data breach or incident, we will take immediate action to stop the breach, mitigate any harm, communicate with all stakeholders impacted, and work closely with our partners to ensure any notifications follow applicable laws.
Retention and Disposal
HealthiVibe retains personal information according to a retention schedule specific to each project or the client’s best practice. Please refer to the project-specific privacy notice for further information.
For information collected as part of our opt-in database service, patients may contact HealthiVibe to request removal and use of any and all personal data whether or not you have previously consented to its use.
Disclosures of Personal Information
Personal information may be shared within HealthiVibe and with third parties only when such information sharing is specifically outlined in a project plan with a client on whose behalf the information has been collected.
HealthiVibe does not sell, trade, or rent personally identifiable information to any third parties.
On an exceptional basis, we may disclose personal information for the following reasons:
- When there is reasonable belief disclosure is required by law, including information requested by means of subpoena and court order.
- To report what appears to be illegal or fraudulent conduct to law enforcement authorities.
Notice and Consent
Notice will be provided to individuals whose personal data is being collected at the time of data collection. The notice will clearly describe how the information will be used and the circumstances under which it may be disclosed, as well as the individual’s informational rights under all applicable data privacy laws or under this Policy.
Children’s Data Privacy
We abide by laws designed to project children involved in our research. Any individual who requests information about participation must be 18 year of age or older. We will not knowingly collect, use, or disclose personal data from a minor under the age of 18, without obtaining prior consent from a person with parental responsibility (e.g., a parent or guardian).
Links to Third-Party Sites
Our websites and web-based services may contain links to third-party websites, content, or services that are not owned or controlled by HealthiVibe. While we carefully evaluate third-party vendors to ensure they follow the same principles and best practices outlined in this Policy, HealthiVibe is not responsible for how these properties operate or treat personal information.
Sharing your Personal Information with Third Parties
We may disclose personal information that HealthiVibe has collected or that was provided by you to:
- Contractors and other third parties (i.e., recruitment, technology, or supporting business operations) utilized to support our business (third parties are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose the information).
- Comply with any court ordered, law or legal process, including to respond to any government or regulatory request.
- Protect and defend the rights of property of HealthiVibe (including the enforcement of our agreements).
- To act in urgent circumstances to protect the personal safety of users or the public.
- And for any other purpose disclosed by us when you provide the information and your consent.
HealthiVibe is liable for inappropriate transfers of personal data to third parties. HealthiVibe complies with the GDPR through the use of EU Commission-approved standard contractual clauses and/or on the basis of another transfer mechanism permitted under the GDPR.
In certain situations, HealthiVibe may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Additionally, HealthiVibe is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Your Personal Informational Rights
You have the right to access, modify, or delete any personally identifiable information stored by HealthiVibe, and to withdraw consent for its use at any time, without charge. Subject to applicable law, you also have the right to (i) restrict HealthiVibe’s use of other information that constitutes your personal information and (ii) lodge a complaint with your local data protection authority.
Requests may be made by mail, phone, or email, using the contact information below.
Data Protection Officer
c/o Chief Information Officer
HealthiVibe, a division of CorEvitas, LLC
4201 Wilson Boulevard, #110-321
Arlington, VA 22203
It is not anticipated that personal information will be transferred from the EU to the US; HealthiVibe has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved data protection complaints concerning any data that may be transferred to the US from the EU.
In the case that personal data is transferred from the EU to the US for commercial purposes, HealthiVibe protects such data consistent with EU Commission-approved standard contractual clauses and/or on the basis of another transfer mechanism permitted under the GDPR. Participants are informed about the risks associated with the transfer of personal data as part of the consent process.
If you are a resident of the European Economic Area and believe we maintain your personal data within the scope of the GDPR, you may direct questions or complaints to the lead supervisory authority in your country of residence. A link is provided below for your convenience:
International Regulatory Compliance
HealthiVibe complies with all recommendations and guidelines of the GDPR. As an additional safeguard and in response to the invalidation of the International Safe Harbor framework, and in order to prevent transfer of personal information from the EU to the US, HealthiVibe stores all personally identifiable information on EU-based servers in Frankfurt, Germany. The project team has strictly controlled and compartmentalized access to the data, as does the server administration team. Prior to project execution, HealthiVibe also abides by each country’s data regulations and implements projects accordingly.
Updates to this Policy