PharMe Privacy Policy

Effective Date: May 2023

Who does this policy affect?

This Privacy Policy applies to all persons (“study participants”) who have consented to participate in the PharMe evaluation study (“our,” “us,” or “we”). In addition, portions of this policy also apply to other visitors to, and users of, the PharMe mobile application (“App”), and PharMe services (app and services, collectively, “PharMe services”).

By using our App, you agree to this Privacy Policy and our Terms of Use.

Why did we create this policy?

We collect information from and about study participants and who use PharMe services. We care about your privacy and have considered it every step of the way. This Privacy Policy defines the types of information we may collect from you or that you may provide, and our practices for collecting, using, keeping, protecting, and sharing that information.

If you consent to be a study participant, the information we collect about you includes information about your health such as your medical history, age, health conditions you have, and medicines you take. It also includes personal information such as your name, phone number, and home address (Personally Identifiable Information or PII). Please read the complete definitions of PHI and PII in the Terms and Definitions section at the end of this document.

PharMe respects the privacy of all visitors and users of PharMe services and is committed to protecting privacy by following this Privacy Policy. We understand that PHI and PII are private, and we are dedicated to keeping this information accessible, confidential and consistent. Study participants that have reviewed and accepted this Privacy Policy will, by using a user name and password, have access to and can use PharMe services.

It’s up to you to read and understand this policy. If you have questions, contact us and we will answer them.

Please read this Privacy Policy carefully to understand our policies and practices about your information and how we will treat it. If you do not agree with our Privacy Policy, you can choose not to participate in any PharMe research study or to use PharMe services. By using our App, you agree to our Privacy Policy and our Terms of Use.

If you have questions, email us at ehivepgx@mssm.edu.

What kinds of data and information do we collect, and how do we collect it?

When you consent to be a study participant, we may collect and use or share your PHI and PII, but only to the extent minimally necessary, and only to the extent to which you have consented to such use. You accept that we may collect this PHI and PII from you directly, or from third parties that share your PHI or PII with PharMe. It is fully your choice whether to give PHI and PII as part of a research study or through PharMe services. If you choose not to give PHI or PII we need, you will not be able to participate in this research study and may not be able to use PharMe services.

Protected Health Information (PHI)

As used in this Privacy Policy, “Protected Health Information” means information related to your physical or mental health, such as:

• Your genetic data, medical history, family history, medical diagnosis, health background, current medications, and current health status
• Age, gender, sexual behavior and sexual orientation[, to the extent relevant to the evaluation research study]
• Demographic information, including race, ethnicity, marital status, salary, education, political, religious, and trade union information[, to the extent relevant to the evaluation research study]
• Information related to the diagnosis and treatment of health conditions, over-the-counter and prescription medications, laboratory test results[, and payments for treatment and health insurance information]
• Other information under an applicable law such as HIPAA or an equal State law covering the use or sharing of PHI and as defined by HIPAA

Personally Identifiable Information (PII)

As used in this Privacy Policy, “Personally Identifiable Information (PII)” means any information that may be used to identify you, such as your:

• First and last name, age, and gender
• Postal address, email address, telephone number, and other contact information
• Certain health information
• Other personally identifiable information under any law that applies, such as HIPAA or an equivalent State law covering the use or sharing of health information

Technical information

For both study participants and other users of PharMe services, we may collect and use technical data (data from your device hardware or software) and related information (“Technical Information”), including but not limited to:

• Technical information about devices you may receive such as manufacturer, service provider, IP address, operating system, browser type, and mobile number
• System and application software and peripherals
• Your interactions with PharMe services, including automatically recording the dates and times of visits to PharMe services, traffic data, and your search queries

We sometimes gather Technical Information to:

• Help software updates and product support
• Improve products and services to you that are related to PharMe
• Measure the number of our users and how they use PharMe services
• Store information about your preferences, allowing us to customize our products and services to your interests
• Speed up your searches and recognize when you return to our App and use PharMe services

We may also automatically receive and record information on our server logs from your browser or mobile device, which could include your IP address, cookie information, browser information, and the pages you visit/request. This is done in an anonymous manner and helps us improve the platform and make sure things are working just right. PharMe does not consider nor intend Technical Information to constitute PHI or PII. PharMe may use Technical Information in any way it believes is proper and lawful.

The Privacy Policy applies to the following ways we collect data and information:

• Through email, text, video, and voice communications between you and us
• Through offline community activities and communications
• From physicians, hospitals, clinics, schools, and any other organizations or groups that you give permission to share information with PharMe
• Through any or all of PharMe’s services, including the App

Why does PharMe need to collect my data and information?

PharMe is a digital platform delivered through a mobile application. It is designed to communicate guideline-based implications of your DNA on medication efficacy and safety. Currently, PharMe is only accessible to study participants who help us to evaluate the services.

To support this, we need to ensure that each study participant and other user who gives Information, clearly allows it to be used or shared. For this reason, we need a license from you to use or share your Information, whether we get it directly from you or, if applicable, from third parties you name.

How do we use your data and information?

If you are a study participant, during the research study, your PHI, and to an extent your PII, along with results of any tests/procedures collected as part of the study, will be used for the study as explained in the consent form you signed, and as outlined below. You should be aware that the results of this study could be published or presented at scientific meetings, lectures, etc., but would not include any portion of your PHI or PII that would let others know who you are, unless you give separate, explicit permission to do so. The portion that is shared is known as “de-identified” PHI, or PII, and is also referred to below as “blind data”.

We use your PHI and PII:

• To help deliver PharMe services to you and to the researchers conducting the study on PharMe
• To give you information or services that are part of the research study in which you participate
• To give you notices and communications found suitable by us [or your physician or research study leader]
• To fulfill any other purpose for which you may give us the information, including as part of publishing or presenting the results of the research study
• To carry out our duties from any contracts into which we may have entered related to you
• To let you know about changes to the PharMe Privacy Policy and PharMe services
• To obey any court order, law, or legal process, including responding to any government or regulatory request
• To enforce or apply our Terms of Use
• If we believe sharing Information is needed to protect PharMe’s rights, privacy, security, property, and access to information
• In any other way we may define when you give Information
• For any other purpose with your lawful consent

We collect and share only the data we need

Except as described in this Privacy Policy or in our Terms of Use, PHI, PII, or Technical information (including, as applicable, location-based information, and behavior tracking information) (collectively, “Information”) that you give or that we collect from third parties, will be kept private and used or shared only to the extent minimally necessary to support the evaluation research study in which you participate, or to support PharMe services.

At all times, we will only use or share your PHI and PII to the extent minimally necessary for the intended use or disclosure. The PharMe minimum necessary policy follows the current industry standard that PHI and PII shouldn’t be used or shared when it is not necessary to satisfy a certain purpose or carry out a function. Read the full definition of “minimum necessary” in the Terms and Definitions section at the end of this document.

What are you agreeing to in this policy?

By using our App, or by signing a consent, you agree to our Privacy Policy and our Terms of Use.

When we have your consent, you accept that we may collect this PHI from you directly or from third parties that you may allow to share PHI with PharMe. We may ask you or allowed third parties to give PHI about you that will allow us to enhance how we conduct the evaluation research study, as well as serve your needs and your use of PharMe services. It is fully your choice whether you give PHI through PharMe services. If you choose not to give the PHI we need, you may not be able to participate in a research study or use some parts of PharMe services.

The applicable research team and other authorized members of The Mount Sinai Health System ("Mount Sinai") workforce may use and share your information, including PHI and PII, to ensure that the research meets legal, institutional or accreditation requirements. For example, the Program for the Protection of Human Subjects at Icahn School of Medicine at Mount Sinai is responsible for overseeing research on human subjects and may need to see your PHI. If you receive any payments for taking part in this study, the Mount Sinai Finance Department may need your name, address, social security number, payment amount, and related information for tax reporting purposes. If the research team uncovers abuse, neglect, or reportable diseases, this information may be disclosed to appropriate authorities.

You also give PharMe a lasting, non-exclusive, transferable, sub-licensable, royalty-free license to use your Information and other data we collect to include that information in our published or presented results of any research study, as well as to develop, create, and extract statistics and other information, and to use this information and de-identified data known as “blind data”. Notwithstanding anything that may be to the contrary in this Privacy Policy, any blind data PharMe collects or creates will be owned solely by PharMe. This data may be used for any lawful business purpose without your consent, so long as this data is not PHI or PII and doesn’t identify the source of such data. Your authorization for the use of your PHI and PII for the specific PharMe research study does not expire.

What control do you have over your data and information?

Accessing and correcting your PHI and PII

During your participation in this program, you will have access to your medical information and any information that is part of that record.

•  You can review and, subject to applicable laws, change your PHI and PII by accessing PharMe services using your user name and password.
• You may also send us an email at ehivepgx@mssm.edu to request access if you want to correct or delete any PII and PHI (subject to applicable laws) viewable on PharMe services.

We may not be able to carry out a request to change PHI and PII if we believe the change would violate any law or legal requirement or cause the information to be incorrect. The research teams administering a study are not required to release to you research information that is not part of your medical record.

If you are authorizing the release of HIV-related information, you should be aware that the recipient(s) is (are) prohibited from re-disclosing any HIV-related information without your authorization unless permitted to do so under federal or state law.

Choices you can make about how we may use or disclose your Information

We try to give you choices about your PHI and PII. We have created methods to give you control over your information. You can set your browser or mobile privacy settings to refuse all or some browser cookies (described below), or alert you when cookies are being sent, or to prevent the app from sharing or using certain mobile device information with PharMe. If you disable or refuse cookies, or restrict or mobile device privacy settings, please note that some parts of PharMe services may not work.

We may use your PHI and PII to contact you about our services and about the research study. The technologies we use for this automatic data collection may include:

• Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by changing the settings on your browser (such as Safari, Microsoft Edge, Firefox, and Chrome). However, by doing this, you may be unable to access certain parts of PharMe services. Unless you have changed your browser settings to refuse cookies, our system will issue cookies when you direct your browser to our App.
• Flash Cookies. A Flash cookie is similar to a browser cookie, but a program uses it instead of the browser. Certain features of our App may use Flash cookies to collect and store information about your preferences and navigation to, from, and on our App. Flash cookies are not managed by the same browser settings that are used for browser cookies.

We do not respond to Do Not Track signals in web browser software

Some web browsers (including Safari, Microsoft Edge, Firefox, and Chrome) include a “Do Not Track” (“DNT”) or similar feature that signals to digital services that a visitor does not want to have any online activity tracked. This can block the digital service from collecting certain Information about the browser’s user. Not all browsers offer a DNT choice, and there isn’t a standard yet for DNT signals. For these reasons, we, and many other digital service operators, don’t respond to DNT signals.

Keeping your data and information secure

How we secure your information

We have applied reasonable and suitable administrative, technical, and physical safeguards designed to protect your Information from illegal access, use or sharing. All our data, including all Information you provide to us, is stored in a HIPAA-compliant secure server with limited access with an approved cloud services provider. These safeguards include, without limitation, encrypting all PHI and PII.

When you consent to join this study, only the study team will be able to access your study data. Your identifying information is always kept separate from your study data. How? When you participate in the PharMe validation study, we will replace your name and other identifying information with a random code. This code will be connected to your study data instead of your identifiers, which is a process of de-identifying your data. This means researchers can analyze the data without knowing who you are. The PharMe app itself does not know about your personal information at all, it uses a different pseudonym from the study pseudonym.

When you participate in the PharMe evaluation study, your study data will be stored in a way that keeps your information as safe as possible and prevents unauthorized people from getting to your data. Even with the de-identification process and these procedures, it is sometimes still possible to re-identify an individual. This risk, while very low, should still be considered before enrolling in a study.

What you can do to help secure your information

The safety and security of your Information also depends upon you. Where we have given you (or where you have selected) a user name and password to access PharMe services, you are responsible for keeping this information private. It is in your best interest to not share your user name or password with anyone.

Please keep in mind that whenever you willingly share Information on message boards or other public forums and features, or through email or group messaging, that Information can be collected and used by others who you may or may not have given consent. By posting Information online that is publicly accessible, you may receive unwanted messages from other parties or reveal your location. We are not responsible for the security or privacy of any Information you choose to send outside the scope of PharMe services.

Where is your data and information stored?

Information collected from you may be stored and processed in the United States [or any other country in which PharMe, Mount Sinai and its research teams, or their respective affiliates, subsidiaries, agents or contractors are located]. If you are accessing PharMe services from the European Union, or other regions with laws governing data collection and use, please note that you are agreeing to the transfer of your data to the United States, and processing globally. By giving your Information, you consent to any transfer and processing following this Privacy Policy.

Who is not covered by this policy?

Children under the age of 18

PharMe neither designed nor intended its services to be accessed by children under the age of 18. No one under age 18 may provide any information to or through PharMe services. If you are under age 18, do not give any information through PharMe services. We do not intentionally collect Information directly from children under the age of 18 for PharMe products or services.

We also do not collect any PHI from anyone under 18 unless clearly authorized under Federal and equivalent State law. No one under age 18 may give any health-related information through PharMe services unless PharMe confirms that sharing would follow applicable Federal or State laws.

If we learn we have collected or received PII or PHI from a child under age 18, we will delete that Information and take other appropriate measures. If you believe that we may have collected any Information, including PII or PHI directly from a child under age 18, please contact our Privacy Officer immediately at ehivepgx@mssm.edu.

Third-Party Products, Services and Technologies

We may provide links to third-party websites within PharMe services. Such links may appear as a specific domain name or URL. Please be aware that other websites and services, including the websites of third parties that you connect with through PharMe services, may collect PII about you. This Privacy Policy does not cover the information practices of those third-party websites, services, or applications and PharMe cannot control and is not responsible for the information collection practices of any such websites, services or applications. We encourage you to carefully review the terms of use, privacy policies, and any other legal notices on such websites before using or giving Information to them.

Physicians or other health care providers

Physicians or other health care providers, to the extent they are “Covered Entities” under HIPAA (as such term is defined in HIPAA), likely have their own privacy and security policies with respect to your PHI and PII. For more information about your rights under HIPAA, see www.hhs.gov/ocr/privacy/.

How do we manage this policy?

The PharMe App will have a link to this Privacy Policy. All users of the PharMe App will get a prompt to review the PharMe Privacy Policy. The Privacy Officer will review and update this policy at least once a year.

This policy may change. We will do our best to let you know if it does.

We may change this Privacy Policy and our Terms of Use from time to time, and while we will do our best to let you know of any changes, it is up to you to review this Privacy Policy and the Terms of Use over time. We consider your continued use of PharMe services after we make changes as acceptance of those changes. Please check our Privacy Policy over time for updates. When we change the Privacy Policy or Terms of Use, we will also update the “Effective” date on the relevant document and may let you know directly or post a message on our App.

If we make changes to our Privacy Policy or make material changes to how we treat our users’ PHI or PII, we will let you know by emailing the primary email address you have provided. The last revision date of our Privacy Policy is at the top of the page. It’s up to you to ensure we have an up-to-date active and deliverable email address for you, and to visit our App and this Privacy Policy for changes.

Who is in charge of this policy?

Our Privacy Officer is responsible for the development, revision, and update of PharMe Privacy Policy.

Terms and definitions

Disclosure – The sharing, release, transfer, provision of access to, or divulging in any other manner of information to others outside the entity holding the information.

HIPAA – (United States Health Insurance Portability and Accountability Act of 1996) - two sections: HIPAA Title I deals with protecting health insurance coverage for people who lose or change jobs; HIPAA Title II includes an administrative simplification section which deals with the standardization of healthcare-related information systems. For more information, visit www.hhs.gov/ocr/privacy/.

HITECH Act (Health Information Technology for Economic and Clinical Health Act) – The HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 is legislation that was created to stimulate the adoption of electronic health records (EHR) and the supporting technology in the United States. The HITECH Act also expands the standards that aid in electronic exchange of health information nationally and provides incentives for covered entities that adopt Electronic Health Records (EHR).

Individual – shall mean the person who is the subject of the Protected Health Information or Personally Identifiable Information.

Information – All aspects of Protected Health Information, Personally Identifiable Information, and Technical Information (collectively known as “Information”)

Minimum Necessary (Need to Know) – Minimum necessary, (or informally, need to know rule), is a key protection of the HIPAA Privacy Rule. The PharMe minimum necessary policy adheres to the current industry standard that PHI and PII should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices, and enhance safeguards as needed to limit unnecessary or inappropriate access to, and disclosure of, PHI and/or PII. When using or disclosing PHI and/or PII, or when requesting PHI and/or PII from another health care provider or health organization, PharMe will limit the request to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. Minimum Necessary does not apply in the following circumstances:

1. Disclosures by a health care provider for treatment or as part of a research study (students and trainees are included as health care providers for this purpose).
2. Uses and disclosures based upon a valid consent to use and disclose PHI and/or PII or treatment, payment and health care operations or a valid authorization to use and disclose PHI and/or PII.
3. Disclosures made to the Secretary (or designee) of the United States Department of Health and Human Services, or any other State or Federal agency requesting disclosure under prevailing law.
4. Uses and disclosures required by law or regulatory guidance.
5. Uses and disclosures required by other sections of the HIPAA privacy regulations.

Privacy and Security Officials (PSOs) – The PharMe Privacy Officer and the PharMe Security Officer are responsible for HIPAA privacy and security compliance issues.

Personally Identifiable Information (PII)/ Protected Health Information (PHI) – Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context including health information transmitted or maintained in any form or medium, including oral, written, and electronic. PHI relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered PII where there is a reasonable basis to believe the information can be used to identify an individual.