NxStage Medical, Inc. and its subsidiaries ("NxStage") take privacy very seriously. We are committed to protecting the privacy and confidentiality of personal information, including health information, that we obtain from you and your NxStage products and services through your use of the Nx2me Connected Health® application, and any successor products (collectively referred to as the "Nx2me App" throughout this policy). The Nx2me App connects a NxStage hemodialysis device to a tablet computer to help your healthcare provider monitor your condition, and in doing so, processes Personal Information.
This Policy explains our privacy practices regarding Personal Information, including personal health information, and other data that is collected, used and disclosed through your use of the Nx2me App.
Please note that NxStage may obtain, or may have already obtained, information that is similar to or matches the information collected through your use of the Nx2me App while providing services or products to you that are distinct from the Nx2me App product or services. That information is subject to the terms on which it was first, or otherwise is subsequently, obtained by NxStage outside of the Nx2me App, and the privacy protections articulated in this Policy and afforded to Personal Information may be different than those afforded to similar or matching information obtained by NxStage outside of the Nx2me App.
Collection of Information
Collection of Personal Information and Personal Health Information
We collect Personal Information and health information, when you use the Nx2me App.
Examples of the types of information collected include:
- patient name;
- patient username;
- patient password;
- NxStage equipment serial numbers;
- treatment dates and times;
- treatment values, labs drawn and medication administered; and
- treatment assessments and notes.
Collection of Non-Health Information Generally
We may collect certain non-health information to provide the Nx2me App through Internet-enabled devices. This information may include the URL (or web addresses) of websites used to transfer health information from the Nx2me App to NxStage and your healthcare provider (for the purposes described in this policy).
We may also collect and maintain logs of Internet communications between the Nx2me App service components. These logs may contain information about the mobile device application software used to connect to the Nx2me App services, such as the operating system and other performance and troubleshooting information.
Collection of Non-Health Information through Mobile Device Management Software
At your healthcare provider’s request, we may use mobile device management software to assist your healthcare provider in managing the tablet computer provided to you by your healthcare provider, who may restrict your usage of such tablet computer to the Nx2me App or related healthcare purposes. This software allows us to assist with tablet computer management, including restricting access to the App Store, gaming and content. It also allows us to erase all data and settings, lock the device and remove the passcode, list installed applications, apply settings, and install and remove applications and data.
If you are using the Nx2me App on your own tablet computer, you may choose to allow us to use mobile device management software to assist you with respect to the Nx2me App. For example, we and/or the software provider could help you add or remove the Nx2me App, get updates to the application, add or modify network settings necessary to use the application, and provide other troubleshooting assistance to help with the proper functioning of the Nx2me App. You may be subject to separate agreements with the licensor of the mobile device management software, in which case its agreements and policies apply and govern between you and it for those activities.
When using the mobile device management software (whether on the tablet computer provided to you by your healthcare provider or whether on your own tablet computer), we and the software provider may collect certain non-health information. Examples of the types of information collected include:
- Device information, such as the amount of battery life remaining or hard drive space
- Network information, including your Internet Protocol address (or IP address);
- List of installed applications; and
- Whether or not the tablet computer is online.
Use and Disclosure of Information
We use Personal Information collected from the Nx2me App for the purposes of:
- creating an account that will be used by your healthcare provider to store and manage your health information; and
- to maintain and improve the operation of the Nx2me App.
To the extent permitted by law, required by your healthcare provider and not prohibited by the terms of any agreement we have with your healthcare provider, we use your identified personal health information collected from the Nx2me App for the following purposes:
- management and administration of NxStage;
- data aggregation;
- data de-identification, with respect to US resident information;
- data anonymization, with respect to UK resident information;
- compliance with our legal obligations; and
- to enable access and use by your healthcare provider.
We may also use your Personal Information, including your health information for other purposes provided that we inform you of these uses and obtain a valid consent from you, consistent with applicable law. As described below, we may use your de-identified health information or, as it relates to UK resident information, your anonymized health information, for any purpose, provided that such use is consistent with law and the terms of our agreements with your healthcare provider.
Disclosures of Health Information on Behalf of Healthcare Providers
We will disclose Personal Information, including your health information, that is collected by the Nx2me App from you and your NxStage products and services during your medical treatments, to your healthcare provider for the purposes of medical treatment or other lawful purposes that may be established by contract between NxStage and your healthcare provider. We may also disclose your Personal Information, including your health information, to other organizations acting on behalf of your healthcare provider if instructed to do so by your healthcare provider and permitted under applicable law.
You have the right to request that we limit the collection, use and disclosure of your Personal Information, including your health information – except that certain collections of health information may be necessary in order to use the Nx2me App.
Disclosures to Third Party Service Providers
NxStage may occasionally hire service providers to perform limited tasks on our behalf, such as answering patient questions and providing technology resources. In the event that your Personal Information must be disclosed to a service provider, we will ensure that the service provider agrees to abide by the same privacy and security principles that apply to us. Only the information needed to perform tasks on behalf of NxStage is disclosed to service providers. Service providers are not permitted to use your information for any purpose other than providing services on behalf of NxStage.
All Personal Information, including your health information, that is collected by the Nx2me App from you and your NxStage products and services during your medical treatments, is transmitted to, stored and processed by NxStage in the United States. Such information will be protected subject to this Policy, applicable law, and contracts that require appropriate safeguards to be implemented as required by the law of your country. NxStage has implemented appropriate safeguards by ensuring that such data transfers are made in accordance with the Standard Contractual Clauses as adopted by the European Commission regarding the processing of Personal Information from European Union member states. In addition, NxStage complies with the U.S.-EU Privacy Shield Framework administered by the U.S. Department of Commerce and NxStage self-certifies, on an annual basis to the U.S. Department of Commerce, its adherence to the Privacy Shield Principles. For more information about the Privacy Shield Framework and to view our certification page, please visit the U.S. Department of Commerce’s website at http://www.privacyshield.gov.
Uses for Operation and Improvement of the NxStage Service
Non-health Personal Information may be used or shared to maintain and improve the operation of the Nx2me App. For example:
- URLs may be used to ensure that information collected from your NxStage home medical device and mobile device application software is properly routed to us and shared with your healthcare provider, and
- log files from your NxStage home medical device may be used to assess the performance of the Nx2me App and other NxStage products and identify ways to improve efficiency, such as improving system response times.
- As mentioned in the "Collection of Information" section above, non-health Personal Information collected through the use of mobile device management software may be used to assist in the set-up of or to troubleshoot issues with the Nx2me App.
Disclosures to Satisfy Legal Obligations or Defend Legal Rights
To the extent permitted by applicable law, we may also disclose your information if we believe such disclosure is necessary to:
- comply with the law or legal process served on NxStage;
- protect and defend the rights or property of NxStage (including the enforcement of our agreements); or
- act in urgent circumstances to protect the personal safety and welfare of NxStage customers, employees, or members of the general public.
Aggregated and De-identified or Anonymized DataWe may aggregate your health information with health information collected from other patients that use the
Nx2me App. Aggregated data is not associated with your individual identifiable records – it is de-identified or anonymized, meaning that individual identifiers will be removed so the information cannot reasonably be used to identify you. Such data may be used to:
- improve the Nx2me App and other NxStage medical services and products;
- market the Nx2me App and other NxStage medical services and products; and
- protect your health information.
Data will only be aggregated and de-identified or anonymized in ways permitted by your healthcare provider and applicable law. Such data may be disclosed to third parties.
We use appropriate safeguards to prevent the unauthorized use or disclosure of your Personal Information. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Personal Information that we create, receive, maintain, or transmit on behalf of your healthcare provider. Please be aware, however, that no information system is 100% secure, and therefore we cannot guarantee against all potential security breaches. Moreover, the transmission of information over wireless and wired networks is not inherently secure, and we are not responsible for the transmission of information over networks that we do not control.
In order to enhance the security of your Personal Information, you should select a strong password. A strong password should include a combination of uppercase and lowercase letters, numbers, and special characters and should not contain your names, addresses, or significant dates or those of your friends or family. Memorize your password or store it in a safe location. In addition, you should not leave your mobile device unattended in public places.
We will retain your Personal Information in accordance with our retention policies and we shall securely delete your Personal Information where required under our policies or in accordance with applicable law.
Access to Health Information
We will make available to your healthcare provider, information necessary for you to exercise your rights to access, amend, restrict, object to, request confidential communications of, and request an accounting of certain disclosures of your health information in accordance with applicable privacy laws, including for residents of the United States using the Nx2me App, the Health Insurance Portability and Accountability Act ("HIPAA") and its regulations.
For additional information about our privacy practices, see our general privacy statement at http://www.nxstage.com/privacy-policy.
Where local law permits, you have a right to complain to the local data protection authority about NxStage’s handling of your Personal Information.
NxStage Medical, Inc.
Attn: Privacy Officer
350 Merrimack Street
Lawrence MA 01843
NxStage Medical UK, Limited
21 Holborn Viaduct
London, EC1A 2DY
Effective Date: December, 2017