Safe Harbor Compliance Statement for Data Privacy
At AG Mednet, Inc., we recognize the importance of our role in securing the private information of our customers and business partners data, and we strive to safeguard this personal information (defined below). This US Safe Harbor Compliance Statement for Data Privacy (“Policy”) sets out the privacy principles published by the U.S. Department of Commerce as part of the Safe Harbor Frameworks relating to personal information transferred from the European Union (“EU”) and by extension all EEA member countries, or Switzerland to the United States.
AG Mednet, Inc. complies with the U.S. – EU Safe Harbor Framework regarding the collection, use, and retention of personal information transferred from the EU to the United States, as well as with the U.S. – Swiss Safe Harbor Framework regarding the collection, use, and retention of personal information from Switzerland. AG Mednet, Inc. certifies that it adheres to the U.S.-EU and U.S.-Swiss Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view AG Mednet’s certification, please visit www.export.gov/safeharbor.
About Safe Harbor
The “U.S.-EU Safe Harbor” program was established cooperatively by the United States Department of Commerce and the European Commission in 2000. This program sets forth the principles for the transfer of personal information from the European Union (“EU”) to companies operating in the United States.
The “U.S.-Swiss Safe Harbor” program was established cooperatively by the United States Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland in 2009. This program sets forth the principles for the transfer of personal information from Switzerland to companies operating in the United States.
Participation in the Safe Harbor programs is voluntary for companies operating in the United States. Companies participating in the Safe Harbor programs annually self-certify compliance with privacy standards adopted by the EU Commission and Switzerland and the United States Department of Commerce.
This Safe Harbor Statement governs personal information transferred from countries in the EU and Switzerland to the United States in connection with AG Mednet, Inc. Clinical Trial business activities.
For the purpose of Safe Harbor, “personal information” shall mean any information which may, directly or indirectly, identify or lead to the identification of a person. Personal information shall include, but is not limited to, an individual’s name, address, email address, telephone number, government identification number, license numbers of any kind, or photographs. Personal information shall not include information that is anonymous, stripped of identifying details, encoded or encrypted, or aggregated. Personal information also shall not include any information that is publicly available, except where such public information is supplemented with non-public, personally identifying information.
AG Mednet generally presents a low risk in regards to patient privacy regulations. AG Mednet is a software development / software services company providing a software service to covered entities. AG Mednet personnel are not directly involved in execution of any clinical trial protocols and AG Mednet does not create or review clinical trial records. Exam data that transverses the AG Mednet Network has been de-identified at the uploading terminal. Patient identifying information has been permanently removed in accordance with the specification written, approved, and tested by the end user (AG Mednet customer). Whether exams ultimately reside on customer-owned equipment (such as a PACS), or AG Mednet provided services (e.g. CDS), they remain irreversibly de-identified.
AG Mednet, Inc. complies with the following principles as applicable to AG Mednet, Inc. business defined in the AG Mednet, Inc. Patient Privacy Compliance Policy. AG Mednet, Inc. shall not be responsible for the compliance of its customers in the EU and Switzerland or the data privacy laws and regulations of any country.
Seven Safe Harbor Privacy Principles
Notice – Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.
AG Mednet neither collects nor is provided with patient contact information enabling it to provide notices or fulfill breach notification requirements. Any inquiries or complaints are reported directly to the covered entity, which in this case is defined as one of the following: a pharmaceutical sponsor, an imaging core laboratory or a CRO. If the inquiry or complaint in whole or part involves or is caused by the use of an AG Mednet product or service, AG Mednet would assist the covered entity with the inquiry, complaint and/or investigation.
Choice – Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.
It is the responsibility of the covered entity to give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.
Onward Transfer (Transfers to Third Parties) – To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it makes sure that the third party subscribes to the Safe Harbor Privacy Principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.
AG Mednet does not share transfer data which may contain patient information directly with third party organizations.
Access – Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
Under standard operations, access to data which may contain patient information is strictly under the control of, and the responsibility of the covered entity which assumes the role of Trial Administrator. AG Mednet provides physical and logical access features/controls which are designed for this purpose, into the AG Mednet Network. Base features are defined and tested by AG Mednet and results are available for review. Trials are configured per end-user, (i.e., a covered entity contracting directly or indirectly with AG Mednet) specifications, verified by AG Mednet and final testing and acceptance is completed by the end-user.
Security – Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
AG Mednet Inc. provides physical and logical security features/controls which are designed into the AG Mednet Network. Base features are defined and tested by AG Mednet and the results are available for review. Trials are configured per end-user, (i.e., a covered entity contracting directly or indirectly with AG Mednet) specifications, verified by AG Mednet and final testing and acceptance is completed by the end-user.
AG Mednet, Inc. also takes corporate administrative precautions to safeguard personal data against foreseeable risks of theft, loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
Data integrity – Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.
AG Mednet provides a service that has been designed and tested to ensure Data Integrity. These features/controls which are designed into the AG Mednet Network are defined and tested by AG Mednet and the results are available for review
Enforcement – In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self-certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.
AG Mednet, Inc. has adopted a self-regulatory compliance program that includes mechanisms to verify ongoing compliance with the Safe Harbor Principles and this Privacy Statement. AG Mednet, Inc. will periodically review and verify its compliance with the Safe Harbor Principles and will rectify any issues of noncompliance. Personnel who are in violation of the Safe Harbor Principles or this Privacy Statement may be subject to disciplinary action, up to and including termination or release.
Any questions or concerns regarding the use or disclosure of personal information should be directed to the AG Mednet, Inc. Privacy Office at the address given below. AG Mednet will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information by reference to the principles contained in this Policy. For complaints that cannot be resolved between AG Mednet and the complainant, AG Mednet has agreed to participate in the following dispute resolution procedures in the investigation and resolution of complaints to resolve disputes pursuant to the Safe Harbor Principles:
AG Mednet has designated JAMS as our Alternative Dispute Resolution (ADR) Provider for disputes under the U.S.-EU Safe Harbor Framework and/ or U.S.-Swiss Safe Harbor Framework concerning collection, use, and retention of personal data from the European Union (EU) / European Economic Area (EEA) and/or Switzerland. Individuals who submit a question or concern to AG Mednet and who do not receive acknowledgment from AG Mednet of the inquiry or who think their question or concern has not been satisfactorily addressed should then contact the JAMS Safe Harbor Dispute Resolution Program on the Internet, by mail or by fax.
For information about JAMS or the operation of JAMS dispute resolution process, visit JAMS on the Internet at www.jamsadr.com.
Limitation on Scope of Principles
AG Mednet, Inc. will take all reasonable steps to comply with Safe Harbor principles and this policy. Strict compliance with Safe Harbor or these policies may be limited in certain cases and as required to meet legal, governmental or national security obligations. Information about limitations is set forth in the U.S. Department of Commerce Safe Harbor website.
Contact InformationJames Martin Privacy Officer AG Mednet, Inc. 2 Atlantic Ave. Boston, MA 02110 +1.617.674.8112
Effective Date: 16-Sep-2015