1. Home
  2. Privacy Notice

Privacy Notice

Collection and use of personal information

You may be asked to provide personal information in certain fields on this website. The personal information collected on this site is used for the purpose for which it is requested:

Professional Information and CV’s are requested for site applicants and are used to evaluate and qualify the applicant. This information is not used for any other purpose and is not shared with any entity unrelated to RadMD. Information regarding individuals no longer using the services of RadMD is disposed of when they are either no longer under consideration or are considered outdated (usually no longer than one year).

Collection and use of non-personal information

The RadMD web site does not employ cookies or data-collection techniques other than the forms presented in the registration process. No data other than that given voluntarily and with intention is collected or stored.

Information sharing or disclosure

Information you provide at this site will not be transferred to unrelated third parties, unless we have your permission to do so. However, please note that personal information provided to this site may be subject to disclosure pursuant to judicial or other government subpoenas, warrants or orders.

Confidentiality and security

RadMD has implemented reasonable security measures in order to protect both personal and non-personal information from loss, misuse and unauthorized access, disclosure, alteration or destruction. Our employees are made aware of and are accountable for compliance with these procedures.

Clinical data privacy statement

Introduction:

RadMD adheres to the data protection guidelines set forth in the European Union’s General Data Protection Regulation (EU) 2016/679) (GDPR) and the US Health Insurance Portability and Accountability Act (HIPAA, 1996). During a clinical trial, RadMD may receive unsolicited Personal Identifying Data (PII) from Clinical Trial Sites. The following policy defines our responsibilities regarding how Personal Identifying Data is managed in adherence to GDPR and HIPAA principles and guidelines.

Definitions:

Anonymized Data: Data rendered anonymous in such a way that the data subject is not or no longer identifiable.

Data Breach: An impermissible use or disclosure that compromises the security or privacy of the protected health information. A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

  • See HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, and GDPR Article 4: Definitions

Data Controller: Entity that determines the purposes and means of the processing of personal data (e.g. Sponsor)

Data Processor:  Entity which processes personal data on behalf of the controller (e.g. CRO).  Defined within the EU General Data Protection Regulation (GDPR) as “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller.”

De-identify:  The process of removing or masking data so that it cannot be attributed to a specific, identifiable individual

Personal Identifying Data (PII):  A name; an identification number; location data; online identifier; or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Protected Health Information (PHI): Protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses).

Pseudonymized Data: The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.

Re-identify: The process of combining de-identified data with additional data to attribute the data to a specific, identifiable individual.

Policy:

RadMD provides all appropriate technical and organizational measures in such a manner that processing will meet the requirements of the EU General Data Protection Regulation, and US HIPAA law and ensure the protection of the rights of the subject.

As a Contract Research Organization (CRO) RadMD acts as a Data Processor for imaging data used in support of clinical trials on behalf of sponsors (Data Controllers).

RadMD does not solicit or accept PII or PHI from any subject in a clinical trial, nor does RadMD store PII or PHI on any subjects on any system internal to RadMD.  Any PII or PHI received through normal operations (uploaded or received via physical media by Clinical Sites) is de-identified prior to processing by RadMD.

RadMD does not process PII or PHI covered by this policy for purposes outside the scope of providing services to its Sponsors, or as required by law. For the purposes of clinical study activities, RadMD does not collect personal information.

The process for uploading data acquired by clinical sites is governed by SOPs and training procedures administered and maintained by RadMD.  These processes include the following elements:

  • Clinical Sites are responsible for image acquisition, processing, and deidentifying personal data prior to upload to RadMD systems.
  • PII and PHI is masked or de-identified as pseudonymized data prior to processing to RadMD.
  • RadMD manages the training records for clinical sites regarding image upload and de-identification procedures to ensure all sites are able to properly de-identify data prior to upload to RadMD
  • Where PII or PHI is erroneously uploaded or incompletely obscured by Clinical Sites or are provided to RadMD as physical media, RadMD is responsible for de-identifying the data prior to processing. This activity is governed by SOP and may include deletion of the data from RadMD systems

RadMD will notify its sponsors regarding any violations of the EU General Data Protection Regulation or the Health Insurance Portability and Accountability Act, or breaches in security that expose subject PII or PHI on any RadMD controlled systems.  This notification shall be made within 24 hours of detection by RadMD.

RadMD maintains security processes to control access to internal systems and to ensure detection of data breaches.  These processes are monitored on an ongoing basis by RadMD personnel.

Contact Information:

If you have any questions regarding this policy, or data privacy concerns regarding RadMD, please contact us at:

data.privacy@Rad-MD.net

Changes to this privacy policy

We may amend this privacy policy from time to time as we add new products and services, as we improve our current offerings, and as technologies change. If we make any material or substantive changes in our treatment of information collected at this site(www.rad-md.com), we will notify you by posting a clear and conspicuous notice of these changes on our website and in this privacy policy.

Changes in corporate structure

If all or part of the company is sold, merged or otherwise transferred to another entity, the information that you have provided at this site may be transferred as part of that transaction. However, RadMD will take reasonable steps to assure that such information is used in a manner consistent with the RadMD privacy policy under which it was collected.