HIPAA NOTICE OF PRIVACY PRACTICES
Effective Date: July 30, 2018
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
In this Notice of Privacy Practices, we at Adaptive Biotechnologies Corporation, its subsidiaries and affiliates (“Adaptive,” “we” or “us”), explain our practices regarding the use and disclosure of medical and other personal information about you that we collect in conjunction with our clinical laboratory businesses, such as our clonoSEQ® service, and your rights relating to that information.
You have the right to:
• Get a copy of your medical record
• Correct your medical record
• Request confidential communications
• Ask us to limit the information we use or share
• Get a list of those with whom we’ve shared your information for certain purposes
• Get a copy of this privacy notice
• Choose someone to act for you
• Ask questions
• File a complaint if you believe your privacy rights have been violated
You have some choices in the way that we use and share information, such as how or whether we:
• Tell family and friends about your condition
• Provide information so that you may be located or rescued
• Engage in sales and marketing activities
Our Uses and Disclosures
We may use and share your information for various reasons, such as when we:
• Provide clinical laboratory services for you
• Run our organization
• Bill for testing services
• Help with public health and safety issues
• Do research under certain conditions
• Work with a coroner, medical examiner, or funeral director
• Comply with the law
• Address workers’ compensation, law enforcement, and other government or judicial requests
• Respond to lawsuits and legal actions
Each of the topics above is discussed in greater detail below.
When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you. In each case, if you have questions about how to exercise your rights, please email us at firstname.lastname@example.org.
Get an electronic or paper copy of your medical record
• You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you.
• We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee for any copy or summary.
Ask us to correct your medical record
• You can ask us to correct health information about you that you think is incorrect or incomplete.
• We may say “no” to your request, but if we do, we’ll tell you why in writing within 60 days.
Request confidential communications
• You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
• We will say “yes” to all reasonable requests.
Ask us to limit what we use or share
• You can ask us not to use or share certain of your health information. Except as noted just below, we are not required to agree to your request, and we may say “no” if it would affect your care or for other justifiable reasons.
• If you pay for a service or health care item out-of-pocket in full, you can ask us not to share with your health insurer any information about your receipt of that service or health care item. We will say “yes” unless a law requires us to do otherwise.
Get a list of those with whom we’ve shared information
• You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.
• We will include in that list all disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting per year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.
Get a copy of this privacy notice
• You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.
Choose someone to act for you
• If you have given someone medical power of attorney or if someone is your legal representative or guardian (or, in some cases, if someone is an administrator, executor, or other authorized person responsible for your estate), that person can exercise your rights and make choices about our uses and disclosures of your health information.
• If you are an unemancipated minor, your parent or legal guardian may exercise your rights and make choices about our uses and disclosures of your health information on your behalf.
• We will do what we can to make sure that any person who purports to be your legal representative has this authority before we take any action as directed or authorized by that person.
• You can ask questions about this notice and your rights at any time. Please contact our Customer Service Department or email us at email@example.com.
File a complaint if you feel your rights are violated
• You can complain if you feel we have violated your rights by contacting us either by mail at Adaptive Biotechnologies Corporation, Attn: Privacy Officer, 1551 Eastlake Avenue East Suite 200, Seattle, Washington 98102, or by email at firstname.lastname@example.org.
• You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting http://www.hhs.gov/ocr/privacy/hipaa/complaints
• We will not retaliate against you for complaining to us or filing a complaint.
In certain circumstances, you have the right to choose when and how much of your health information we may share. If you have a clear preference for how we share your information in any of the situations described below, please email us at email@example.com. Tell us what you want us to do, and we will follow your instructions regarding the choices described below.
You have the right to tell us to:
• Share information with your family, close friends, or others involved in your care or payment for your care
• Share information with a disaster relief organization or others in order to help notify a person involved in your care about your location, condition, or vital status
• Share information with organ procurement organizations or related entities for the purpose of facilitating organ or tissue donation and transplantation
If you are not able to tell us your preference, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.
In the cases below, we are prohibited from sharing your personal health information unless you give us written permission:
• Disclosure to third parties for marketing purposes
• Sale of your information, although as we continue to develop our business, we might sell or acquire subsidiaries, affiliates or business units. In such transactions, health records information generally is one of the transferred business assets. Also, in the unlikely event that Adaptive or substantially all of its assets are acquired, health records will of course be one of the transferred assets.
OUR USES AND DISCLOSURES
In accordance with applicable federal and state law, we typically use or share your health information in the following ways.
Providing clinical laboratory services for you
We can use your health information and share it with other professionals who are treating you.
Example: Discussions of the minimal residual disease result with your treating physician.
Run our organization or help your health care provider run their organization
We can use and share your health information to run our laboratory, develop and improve our services to improve your care, and contact you when necessary. We can also share your health information with your health care provider to help them run their business, such as to process claims for payment for services they provide to you or to conduct quality control.
Example: We share health information about you with our third party service providers to manage our business, for example helping us process your test orders and helping us securely store your information.
Bill for your services
We can use and share your health information to bill and get payment from health plans or other entities.
Example: We may give information about you to a third party billing business associate to forward to your health insurance plan so it will pay for the services you received.
Help with public health and safety issues
We can share health information about you for certain situations such as:
• Preventing disease
• Participating in public health investigations
• Helping with product recalls
• Reporting adverse reactions to medications or certain other injuries
• Reporting suspected abuse, neglect, or domestic violence
• Preventing or reducing a serious threat to anyone’s health or safety
We may maintain certain of your information in certain databases, which may be used or accessed by individuals within our organization for research purposes. We can use or share your information for health research (1) if we have obtained your signed authorization or (2) if we have received approval from an Institutional Review Board or Privacy Board to conduct the research without your express authorization. We can also use your information without your signed authorization to prepare for research, such as to prepare a research protocol, or share it for those purposes. We generally may share information for research purposes about anyone who is deceased without the deceased’s signed authorization.
Work with a coroner, medical examiner, or funeral director
We can share health information about an individual with a coroner, medical examiner, or funeral director when the individual dies.
Address workers’ compensation, law enforcement, and other government requests
Subject to certain limitations, we can use or share health information about you:
• For workers’ compensation claims or benefits
• For law enforcement purposes or with a law enforcement official
• With health oversight agencies for activities authorized by law
• For special government functions such as military, national security, and presidential protective services
Comply with the law
We will share information about you if state, federal or national laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.
Respond to lawsuits and legal actions or proceedings
We can share health information about you in response to a court or administrative order, or in response to a subpoena or other lawful process.
How else can we use or share your health information?
We are allowed or required to share your information in other ways and to other individuals–often in ways that contribute to the public good, such as public health or for law enforcement purposes. For more information see: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
We may not use or share your information other than as described in this notice without your written authorization. If you do provide such authorization, you may revoke that authorization, in whole or in part, at any time. You must send us your revocation in writing.
We are required to:
• Maintain the privacy and security of your personal health information in accordance with applicable law;
• Provide you with this notice of our legal duties and privacy practices with respect to your personal health information;
• Notify you if a breach occurs that may have compromised the privacy or security of your personal health information; and
• Adhere to the duties and privacy practices described in this notice and give you a paper copy of the notice upon your request..
For more information see: http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html
CHANGES TO TERMS OF THIS NOTICE
We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice will be available upon request, in our office, and on our web site.
OTHER INSTRUCTIONS FOR NOTICE
Adaptive’s U.S. Privacy Officer and International Data Protection Officer is
Kate Godfrey, Vice President, Compliance and Privacy Officer, who can be reached by mail at
1551 Eastlake Avenue East, Suite 200,
Seattle, Washington 98102,
by telephone at (206) 693-2227 or by email at firstname.lastname@example.org.
Effective Date: October 4, 2018
Adaptive commits its cooperation with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regards to disputes over human resources data transferred from the EU and Switzerland in the context of the employment relationship. Adaptive will comply with any advice provided by such authorities as it relates to pertinent activities.
We may update this Policy from time to time consistent with the requirements of the Privacy Shield Framework, and we will provide appropriate notice of an such amendments on the Adaptive website Legal-Privacy page, https://www.adaptivebiotech.com/legal-privacy.
“Data Subject” means the individual to whom any given Personal Data covered by this Privacy Shield Policy refers.
“Personal Data” means any information relating to an individual residing in the European Union or Switzerland that can be used to identify that individual either on its own or in combination with other readily available data.
“Sensitive Personal Data” means Personal Data regarding an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, physical or mental health, or sexual life.
II. TYPES OF PERSONAL DATA ADAPTIVE RECEIVES FROM THE EU AND SWITZERLAND
III. PURPOSES FOR PERSONAL DATA COLLECTION AND USE
- Conduct research and development
- Undertake product development
- Perform contracts and services
- Conduct healthcare operations
- Engage in marketing and sales, with proper consent
- De-identify or anonymize the information so it is no longer Personal Data and may be used for purposes other than those described here.
- Consider expressions of interest for employment and evaluate candidates and, if hired, employees.
Adaptive maintains reasonable procedures to help ensure that EU and/or Swiss Personal Data is reliable for its intended use, accurate, complete, and current. If Adaptive seeks to use Personal Data covered by this Privacy Shield Policy for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party, Adaptive will provide Data Subjects with an opportunity to choose whether to have their Personal Data so used or disclosed. Adaptive takes reasonable and appropriate measures to retain Personal Data in identifiable form only for as long as it serves a purpose of legitimate use or other processing.
IV. PURPOSES FOR SHARING AND RECIPIENTS OF PERSONAL DATA
A. Third-Party Agents and Service Providers: We share Personal Data with unaffiliated third parties who provide us with services, such as those who assist us with technology, data analysis, or similar services. Where required by the Privacy Shield, we enter into written agreements with those third-party agents and service providers requiring them to provide at least the same level of protection that the Privacy Shield requires and limiting their use of the data to the specified services provided on our behalf. We take reasonable and appropriate steps (i) to ensure that third party agents and service providers process EU and/or Swiss Personal Data in accordance with our Privacy Shield obligations and (ii) to cease and remediate the adverse effects of any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers that perform services on our behalf for their handling of EU and/or Swiss Personal Data that we transfer to them.
B. Third-Party Data Controllers: In some cases, we may transfer EU and/or Swiss Personal Data to unaffiliated third-party data controllers. These third parties do not act as agents or service providers and are not performing functions on our behalf. We will make such transfers only if the third party has given us contractual assurances that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by or notice provided to the Data Subjects, (ii) provide at least the same level of protection as is required by the Privacy Shield Principles and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If we obtain knowledge that a third party acting as a controller is processing Personal Data covered by this Privacy Shield Policy in a way that is contrary to the Privacy Shield Principles, Adaptive will take reasonable steps to prevent or stop such processing. The third-party data controllers to whom we may disclose Personal Data include but are not limited to:
- Research and Development Partners.
- Acquirers or Assignees: In the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of Adaptive or its assets, we may transfer Personal Information to the acquiring party or assignee.
- Corporate Investment Partners.
C. Entities Entitled Under Law: We also may disclose Personal Data in the following circumstances: (i) when required by applicable law, including laws outside your country of residence; (ii) to comply with legal process (iii) to respond to requests from public and government authorities; (iv) to meet national security or law enforcement requirements, or (v) to evaluate job candidates, check references or background, and if hired, regarding employment.
V. DATA SUBJECTS’ ACCESS TO THEIR PERSONAL DATA
Each Data Subject has the right to access the Personal Data Adaptive has obtained regarding he or she in reliance on the Privacy Shield and to request that we correct, amend, or delete that Personal Data if it is inaccurate or processed in violation of the Privacy Shield. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access. If you would like to request access to, correction, amendment, alternative choice of opt-in/out, or deletion of your EU and/or Swiss Personal Data, you can submit a written request to us as indicated in the “Contacting Us” section of this Policy below. We may request specific information from you to confirm your identity in order to respond to such a request. In some circumstances we may charge a reasonable fee for access to your information. If your EU and/or Swiss Personal Data was provided to us by an Adaptive customer, we may facilitate your access to such data by directing you to the customer that provided your data to us.
Adaptive maintains reasonable and appropriate security measures to protect EU and/or Swiss Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the Privacy Shield Framework.
VII. COMPLAINTS AND MECHANISMS FOR RECOURSE
Each Data Subject may raise questions or complaints about the use or disclosure of their EU and/or Swiss Personal Data in conformance with the Privacy Shield Principles. If you have any such questions or complaints, please write to us as directed in the “Contacting Us” section of this Policy below. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your EU and/or Swiss Personal Data within 45 days of receiving your complaint.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider, JAMS (free of charge) at https://jamsadr.com/eu-us-privacy-shield.
Under certain conditions detailed in the Privacy Shield, Data Subjects may be able to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission. Information on the conditions for and steps necessary to pursue this option is available at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
VIII. CONTACTING US
Adaptive Biotechnologies Corporation
Attn: Kate Godfrey, JD, CCEP
VP, Compliance and Data Privacy Officer
1551 Eastlake Avenue East, Suite 200
Seattle, Washington 98102
Email to: email@example.com
Effective Date: March 29, 2018
The words “Adaptive” and “we” or “us” refer to Adaptive Biotechnologies Corporation or its subsidiary or affiliate that maintains the relevant website or provides the relevant services, and the term “you” refers both to you in your individual capacity and, if applicable, to your employer or institution if you are accessing our websites or services in your capacity as an employee, agent or other representative of such an entity.
In addition, you or anyone on your behalf are specifically requested not to send to us via email or via our external web site information that comprises protected health information. Such information may be submitted in Adaptive’s secure portal in connection with our clonoSEQ CLIA service. In such cases it is governed by other policies that are compliant with the Health Information Portability and Accountability Act (HIPAA). To read about your rights and our obligations for this information, please see our Notice of Privacy Practices at https://www.adaptivebiotech.com/hipaa-privacy-practice/.
WHAT WE COLLECT
We may collect the following information from you:
PERSONAL INFORMATION RELATING TO EU CITIZENS
Transfers of your Personal Information
Adaptive is located in the United States. If you are located in the European Economic Area (EEA) and you submit Personal Information to Adaptive, that information will be transferred to the United States. Adaptive carries out such transfers on the basis of your consent and/or Adaptive’s EU-US Privacy Shield certification. You can access Adaptive’s EU-US Privacy Shield registration here and Adaptive’s EU-US Privacy Shield policy here https://www.adaptivebiotech.com/privacy-shield-policy. Adaptive also takes reasonable security measures to protect your Personal Information during such transfers and to protect its privacy and security in the United States.
Your rights in relation to your Personal Information
To the extent that the EU General Data Processing Regulation (“GDPR”) applies to Adaptive’s processing of your Personal Information, you may have the following rights in relation to that Personal Information, including the rights:
- to correct any Personal Information that we hold about you;
- to have your Personal Information removed under certain circumstances unless continued processing is necessary by law;
- to have the processing of your Personal Information restricted where you dispute its accuracy, if you think its processing is unlawful, or if you otherwise object to its processing, or when Adaptive no longer needs your Personal Information and you need it in relation to a legal claim;
- to receive copies of your Personal Information under certain circumstances; and
- to complain to your national data protection regulator if you feel that any of your Personal Information is not being processed in accordance with the GDPR.
You may withdraw your consent to the processing of your Personal Information or marketing communications at any time by emailing: firstname.lastname@example.org. If you withdraw your consent, Adaptive will stop processing your Personal Information, unless it has any other legal basis for doing so, and will stop sending you marketing communications.
To exercise any of these rights, make a complaint, or request any additional information, please contact us at email@example.com.
WHAT WE DO WITH YOUR PERSONAL INFORMATION
We collect your Personal Information to understand your needs and improve or develop our services, and in particular for the following reasons:
- To respond to any inquiry you submit on our website
- To enable you to create an account on our website
- To respond to a request for a quote or information that you submit on our website or otherwise.
- To provide our services to you if you request them
- Internal recordkeeping
- To improve our products and services or develop new products or services.
- With your prior opt-in consent, to send you emails or other communications about existing or new or future products or services, Adaptive business, special offers or other information that we think you may find interesting.
- With your prior opt-in consent, to contact you by email, phone, fax or mail for market research purposes.
- With your prior opt-in consent, to send you promotional information about third parties that we think you may find interesting.
HOW WE MIGHT SHARE YOUR PERSONAL INFORMATION
We may disclose your Personal Information to third-party service providers to provide us with services such as website hosting, payment processing services and postal services.
We may disclose your Personal Information to our business partners in order to perform services you request or authorize, including as set forth in this policy, in accordance with our commercial practices.
Corporate Transactions or Events
We may disclose your Personal Information to a third party in connection with a corporate reorganization, merger, sale, joint venture, transfer, investment transaction, or other disposition of all or any of our business, including in connection with any bankruptcy or similar proceedings.
Sales and Marketing Purposes
When you provide your consent, we may use or disclose your Personal Information for sales and marketing purposes, including by disclosing your Personal Information to third parties for such purposes.
LINKS TO OTHER WEBSITES
We are committed to taking reasonable steps to protect the security of your Personal Information. In order to prevent unauthorized access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the Personal Information we collect.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. A cookie helps analyze web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyze data about web page traffic and improve our websites in order to tailor them to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system. In addition, we use Google Analytics to analyze web traffic, but we do not authorize Google to share in any information about you with any third parties.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of our websites.
INFORMATION ACCESS, UPDATES AND CHOICE
You may choose to provide information to us by completing a registration form, sending us an email or otherwise contacting us. In the registration form, you may have an opportunity to elect to receive certain communications from us. Our email correspondence will include instructions on how to update certain personal information and how to unsubscribe from our emails and postal mail correspondence. Please follow the instructions in the emails to notify us of changes to your name, email address and preference information. When we think appropriate, we may take additional steps, such as confirmation emails, to verify your identity before granting access to your personal information. If you choose to unsubscribe from our email and/or postal mail services, you will no longer receive this correspondence. However, we may retain your information for a period of time to resolve disputes, troubleshoot problems or for other valid business or legal reasons.
Our websites are directed toward adults. We do not knowingly collect or use any personal information from children under age of 13, and if we become aware that we have collected such information we will delete it.
The use of our websites is governed by the laws of the state of Washington and the United States. If you are accessing our websites from any location with regulations or laws governing personal data collection, use or disclosure that differ from those of the United States and Washington State, then through your continued use you are transferring personal information to the United States and you consent to that transfer and to the collection and processing of such information in the United States. You also consent to the exclusive jurisdiction of any disputes arising in connection with our websites in the federal and state courts located in King County, Washington, USA. You also agree to attempt to first mediate any such disputes in good faith as we may request.