NxStage Privacy Policy for the Nx2me® App

NxStage Medical, Inc. and its subsidiaries ("NxStage") take privacy very seriously. We are committed to protecting the privacy and confidentiality of personal information, including health information, that we obtain from you and your NxStage products and services through the use of the Nx2me application, and any Successor Products (collectively referred to as the "Nx2me App" throughout this policy). The Nx2me App connects a NxStage hemodialysis device to a tablet computer to help your healthcare provider monitor your condition, and in doing so, processes Personal Information.

This Policy explains our privacy practices regarding Personal Information, including personal health information, and other data that is collected, used and disclosed through your use of the Nx2me App.

Please note that NxStage may obtain, or may have already obtained, similar or matching information while providing services or products to you that are unrelated to the Nx2me App product or services. That information is subject to the terms on which it was first, or otherwise is subsequently, obtained by NxStage outside of the Nx2me App, and the privacy protections articulated in this Policy and afforded to Personal Information may be different than those afforded to similar or matching information obtained by NxStage outside of the Nx2me App.

Collection of Information

Collection of Personal Information and Personal Health Information

We collect Personal Information and health information, when you use the Nx2me App. Examples of the types of information collected include:

  • patient name;
  • patient username;
  • patient password;
  • NxStage equipment serial numbers;
  • treatment dates and times;
  • treatment values, labs drawn and medication administered; and
  • treatment assessments and notes.
Collection of Non-Health Information Generally

We may collect certain non-health information to provide the Nx2me App through Internet-enabled devices. This information may include the URL (or web addresses) of websites used to transfer health information from the Nx2me App to NxStage and your health care provider (for the purposes described in this policy).

We may also collect and maintain logs of Internet communications between the Nx2me App service components. These logs may contain information about the mobile device application software used to connect to the Nx2me App services, such as the operating system and other performance and troubleshooting information.

Collection of Non-Health Information through Mobile Device Management Software

At your health care provider’s request, we may use mobile device management software to assist your health care provider in managing the tablet computer provided to you by your health care provider, who may restrict your usage of such tablet computer to the Nx2me App or related health care purposes. This software allows us to assist with tablet computer management, including restricting access to the App Store, gaming and content. It also allows us to erase all data and settings, lock the device and remove the passcode, list installed applications, apply settings, and install and remove applications and data.

If you are using the Nx2me App on your own tablet computer, you may choose to allow us to use mobile device management software to assist you with respect to the Nx2me App. For example, we and/or the software provider could help you add or remove the Nx2me App, get updates to the application, add or modify network settings necessary to use the application, and provide other troubleshooting assistance to help with the proper functioning of the Nx2me App. You may be subject to separate agreements with the licensor of the mobile device management software, in which case its agreements and policies apply and govern between you and it for those activities.

When using the mobile device management software (whether on the tablet computer provided to you by your health care provider or whether on your own tablet computer), we and the software provider may collect certain non-health information. Examples of the types of information collected include:

  • Device information, such as the amount of battery life remaining or hard drive space
  • Network information, including your Internet Protocol address (or IP address);
  • List of installed applications; and
  • Whether or not the tablet computer is online.

Use and Disclosure of Information

We use Personal Information collected from the Nx2me App for the purposes of:

  • creating an account that will be used by your healthcare provider to store and manage your health information; and
  • to maintain and improve the operation of the Nx2me App.

To the extent permitted by law, required by your healthcare provider and not prohibited by the terms of any agreement we have with your healthcare provider, we use your identified personal health information collected from the Nx2me App for the following purposes:

  • management and administration of NxStage;
  • data aggregation;
  • data de-identification;
  • compliance with our legal obligations; and
  • to enable access and use by your healthcare provider.

We may also use your Personal Information, including your health information for other purposes provided that we inform you of these uses and obtain a valid consent from you, consistent with applicable law. As described below, we may use your de-identified health information for any purpose, provided that use is consistent with law and the terms of our agreements with your healthcare provider.

Disclosures of Health Information on Behalf of Health Care Providers

We will disclose Personal Information, including your health information, that is collected by the Nx2me App from you and your NxStage products and services during your medical treatments, to your healthcare provider for the purposes of medical treatment or other lawful purposes that may be established by contract between NxStage and your healthcare provider. We may also disclose your Personal Information, including your health information, to other organizations acting on behalf of your healthcare provider if instructed to do so by your healthcare provider and permitted under applicable law.

You have the right to request that we limit the collection, use and disclosure of your Personal Information, including your health information – except that certain collections of health information may be necessary in order to use the Nx2me App.

Disclosures to Third Party Service Providers

NxStage may occasionally hire service providers to perform limited tasks on our behalf, such as answering patient questions and providing technology resources. In the event that your Personal Information must be disclosed to a service provider, we will ensure that the service provider agrees to abide by the same privacy and security principles that apply to us. Only the information needed to perform tasks on behalf of NxStage is disclosed to service providers. Service providers are not permitted to use your information for any purpose other than providing services on behalf of NxStage.

Cross-Border Transfer

All Personal Information, including your health information, that is collected by the Nx2me App from you and your NxStage products and services during your medical treatments, is transmitted to, stored and processed by NxStage in the United States. Such information will be protected subject to this Policy, applicable law, and contracts that require appropriate safeguards to be implemented as required by the law of your country. If you are located in the United Kingdom, you must complete the Consent Form agreeing to the use and transfer of your Personal Information in this way as consent is the basis we are relying on to use your Personal Information. You have the right to withdraw your consent at any time although exercising this right does not affect our continued lawful use of your information collected before you revoked your consent. NxStage has implemented appropriate safeguards by ensuring that such data transfers are made in accordance with the Standard Contractual Clauses as adopted by the European Commission regarding the processing of Personal Information from European Union member states. In addition, NxStage complies with the U.S.-EU Privacy Shield Framework administered by the U.S. Department of Commerce and NxStage self-certifies, on an annual basis to the U.S. Department of Commerce its adherence to the Privacy Shield Principles. For more information about the Privacy Shield Framework and to view our certification page, please visit the U.S. Department of Commerce’s website at http://www.privacyshield.gov.

Uses for Operation and Improvement of the NxStage Service

Non-health Personal Information may be used or shared to maintain and improve the operation of the Nx2me App. For example:

  1. URLs may be used to ensure that information collected from your NxStage home medical device and mobile device application software is properly routed to us and shared with your healthcare provider, and
  2. log files may be used to assess the performance of the Nx2me App and other NxStage products and identify ways to improve efficiency, such as improving system response times.
  3. As mentioned in the "Collection of Information" section above, non-health Personal Information collected through the use of mobile device management software may be used to assist in the set-up of or to troubleshoot issues with the Nx2me App.
Disclosures to Satisfy Legal Obligations or Defend Legal Rights

To the extent permitted by applicable law, we may also disclose your information if we believe such disclosure is necessary to:

  1. comply with the law or legal process served on NxStage;
  2. protect and defend the rights or property of NxStage (including the enforcement of our agreements); or
  3. act in urgent circumstances to protect the personal safety and welfare of NxStage customers, employees, or members of the general public.
Aggregated and De-identified Data

We may aggregate your health information with health information collected from other patients that use the Nx2me App. Aggregated data is not associated with your individual identifiable records- it is de-identified, meaning that individual identifiers will be removed so the information cannot reasonably be used to identify you. Aggregated and/or de-identified data may be used to:

  1. improve the Nx2me App and other NxStage medical services and products;
  2. market the Nx2me App and other NxStage medical services and products; and
  3. protect your health information.

De-identified data may be disclosed to third parties. Data will only be aggregated or de-identified in ways permitted by your health care provider and applicable law.

Safeguards

We use appropriate safeguards to prevent the unauthorized use or disclosure of your Personal Information. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the Personal Information that we create, receive, maintain, or transmit on behalf of your healthcare provider. Please be aware, however, that no information system is 100% secure, and therefore we cannot guarantee against all potential security breaches. Moreover, the transmission of information over wireless and wired networks is not inherently secure, and we are not responsible for the transmission of information over networks that we do not control.

In order to enhance the security of your Personal Information, you should select a strong password. A strong password should include a combination of uppercase and lowercase letters, numbers, and special characters and should not contain your names, addresses, or significant dates or those of your friends or family. Memorize your password or store it in a safe location. In addition, you should not leave your mobile device unattended in public places.

We will retain your Personal Information in accordance with our retention policies and we shall securely delete your Personal Information where required under our policies or in accordance with applicable law.

Access to Health Information

We will make available to your healthcare provider, information necessary for you to exercise your rights to access, amend, restrict, object to, request confidential communications of, and request an accounting of certain disclosures of your health information in accordance with applicable privacy laws, including for residents of the United States using the Nx2me App, the Health Insurance Portability and Accountability Act ("HIPAA") and its regulations.

Additional Information

For additional information about our privacy practices, see our general privacy statement at http://www.nxstage.com/privacy-policy.

Changes to this Privacy Policy

We reserve the right to update this Privacy Policy from time to time by posting a new Privacy Policy at this location. We will note the effective date of the latest version of our Privacy Policy at the bottom of this page. You are advised to consult this Privacy Policy regularly for any changes, and your continued use of the Nx2me App after such changes have been made constitutes acceptance of those changes.

Contact Us. If you have any questions regarding this Privacy Policy, please contact:

NxStage Medical, Inc.
Attn: Privacy Officer
350 Merrimack Street
Lawrence MA 01843

Or

NxStage Medical UK, Limited
21 Holborn Viaduct
London, EC1A 2DY