NxStage Medical, Inc. and its affiliates (collectively referred to as “NxStage” throughout this policy) takes privacy very seriously. We are committed to protecting the privacy and confidentiality of health information that we obtain from you and your NxStage products and services through the use of the Nx2me application, and any Successor Products (collectively referred to as the “Nx2me App” throughout this policy) on behalf of your health care provider. The Nx2me App connects a NxStage hemodialysis device to a tablet computer to help your healthcare provider monitor your condition, and in doing so, processes personal information. Successor Products refers to applications developed and distributed in the future that serve the same or similar purposes of connecting a NxStage at home medical device to a mobile computing device to provide medical condition information to your health care provider. This Policy explains our privacy practices regarding personal health information and other data that is collected, used and disclosed through your use of the Nx2me App.
Please note that NxStage may obtain, or may have already obtained, similar or matching information while providing services or products to you that are unrelated to the Nx2me App product or services. That information may be subject to the terms on which it was first obtained by NxStage.
Collection of Information
Collection of Health Information
We collect health information when you use the Nx2me App. When you use the Nx2me App, we collect identifying information necessary to create an account that will be used by your health care provider to store and manage health information. Thereafter, the Nx2me App will collect information from you and your NxStage products and services during your medical treatments. Examples of the types of information collected include:
- patient name;
- patient username;
- patient password;
- NxStage equipment serial numbers;
- treatment dates and times;
- treatment values, labs drawn and medication administered; and
- treatment assessments and notes.
Collection of Non-Health Information Generally
We may collect certain non-health information to provide the Nx2me App through Internet-enabled devices. This information may include the URL (or web addresses) of websites used to transfer health information from the Nx2me App to NxStage and your health care provider (for the purposes described in this policy).
We may also collect and maintain logs of Internet communications between the Nx2me App service components. These logs may contain information about the mobile device application software used to connect to the Nx2me App services, such as the operating system and other performance and troubleshooting information.
Collection of Non-Health Information through Mobile Device Management Software
At your health care provider’s request, we may use mobile device management software to assist your health care provider in managing the tablet computer provided to you by your health care provider, who may restrict your usage of such tablet computer to the Nx2me App or related health care purposes. This software allows us to assist with tablet computer management, including restricting access to the App Store, gaming and content. It also allows us to erase all data and settings, lock the device and remove the passcode, list installed applications, apply settings, and install and remove applications and data.
If you are using the Nx2me App on your own tablet computer, you may choose to allow us to use mobile device management software to assist you with respect to the Nx2me App. For example, we and/or the software provider could help you add or remove the Nx2me App, get updates to the application, add or modify network settings necessary to use the application, and provide other troubleshooting assistance to help with the proper functioning of the Nx2me App. You may be subject to separate agreements with the licensor of the mobile device management software, in which case its agreements and policies apply and govern between you and it for those activities.
When using the mobile device management software (whether on the tablet computer provided to you by your health care provider or whether on your own tablet computer), we and the software provider may collect certain non-health information. Examples of the types of information collected include:
- Device information, such as the amount of battery life remaining or hard drive space
- Network information, including your Internet Protocol address (or IP address);
- List of installed applications;
- Whether or not the tablet computer is online
Use and Disclosure of Information
Uses and Disclosures of Health Information on Behalf of Health Care Providers
We will disclose your health information to your health care provider for the purposes of medical treatment or other lawful purposes that may be established by contract between NxStage and your health care provider. We may also disclose your health information to other organizations acting on behalf of your health care provider if instructed to do so by your health care provider and permitted under applicable law. We may use health information for the management and administration of NxStage, as well as data aggregation, data de-identification, and legal obligations, to the extent such use of health information is permitted or required by your health care provider and not prohibited by law. You have the right to request that we limit the collection, use and disclosure of your personal health information – provided that certain collections of personal health information may be necessary in order to use the Nx2me App.
Disclosures to Third Party Service Providers
NxStage may occasionally hire service providers to perform limited tasks on our behalf, such as answering patient questions and providing technology resources. In the event that your information must be disclosed to a service provider, we will ensure that the service provider agrees to abide by the same privacy and security principles that apply to us. Only the information needed to perform tasks on behalf of NxStage is disclosed to service providers. Service providers are not permitted to use your information for any purpose other than providing services on behalf of NxStage.
Uses for Operation and Improvement of the NxStage Service
Non-health information may be used or shared to maintain and improve the operation of the Nx2me App. For example:
- URLs may be used to ensure that information collected from your NxStage home medical device and mobile device application software is properly routed to us and shared with your health care provider, and
- log files may be used to assess the performance of the Nx2me App and other NxStage products and identify ways to improve efficiency, such as improving system response times.
- As mentioned in the “Collection of Information” section above, non-health information collected through the use of mobile device management software may be used to assist in the set-up of or to troubleshoot issues with the Nx2me App.
Disclosures to Satisfy Legal Obligations or Defend Legal Rights
To the extent permitted by applicable law, we may also disclose your information if we believe such disclosure is necessary to:
- comply with the law or legal process served on NxStage;
- protect and defend the rights or property of NxStage (including the enforcement of our agreements); or
- act in urgent circumstances to protect the personal safety and welfare of NxStage customers, employees, or members of the general public.
Aggregated and De-identified Data
We may aggregate your health information with health information collected from other patients that use the Nx2me App. Aggregated data is not associated with your individual identifiable records – it is de-identified, meaning that individual identifiers will be removed in order to prevent any person or process from determining the identity of the data subject through any reasonably foreseeable means. Aggregated and/or de-identified data may be used to:
- improve the Nx2me App and other NxStage medical services and products;
- market the Nx2me App and other NxStage medical services and products; and
- protect your health information.
De-identified data may be disclosed to third parties. Data will only be aggregated or de-identified in ways permitted by your health care provider and applicable law.
We use appropriate safeguards to prevent the unauthorized use or disclosure of your information. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the information that we create, receive, maintain, or transmit on behalf of your health care provider. Please be aware, however, that no information system is 100% secure, and therefore we cannot guarantee against all potential security breaches. Moreover, the transmission of information over wireless and wired networks is not inherently secure, and we are not responsible for the transmission of information over networks that we do not control.
In order to enhance the security of your information, you should select a strong password. A strong password should include a combination of lowercase and uppercase letters, numbers, and special characters and should not contain your names, addresses, or significant dates or those of your friends or family. Memorize your password or store it in a safe location. In addition, you should not leave your mobile device unattended in public places.
Access to Health Information
We will make available to your health care provider, information necessary for you to exercise your rights to access, amend, and request an accounting of your health information in accordance with applicable privacy laws including the Health Insurance Portability and Accountability Act (“HIPAA”) and its regulations.
For additional information about our privacy practices, see our general privacy statement at http://www.nxstage.com/privacy-policy-canada.
NxStage Medical, Inc.
Attn: Compliance Officer
350 Merrimack Street
Lawrence MA 01843
Effective Date: June 1, 2014