Updated April 30, 2018
Information Collection, Use, and Sharing
Prometheus makes the Patient Portal software available to our customers, usually scientific, biomedical, or healthcare services research organizations (“Researchers”), who use it to securely collect high-quality research data (“Data”) from patients and research study participants (“Participants”). Researchers own and control all information collected through the Patient Portal. Some Researchers may choose to collect personal information, health information, or other highly sensitive information. Researchers decide how the data collected by Patient Portal can and will be used; their intended use of the data should be accurately and clearly described in the Informed Consent document you review and approve prior to participating in any study, and their use of the data is usually governed (for U.S. based Researchers) by federal regulations relevant to human subjects research (The Common Rule) and, where personal health data is collected, by the Health Insurance Portability and Accountability Act (HIPAA).
Prometheus treats all Data as highly confidential. We do not classify Data into different grades of sensitivity since only the Researcher knows what the data mean. Instead, we treat all Data under the assumption that it must be protected at the same level as Personal Health Information (PHI) as defined by U.S. federal regulations (specifically, HIPAA). We are legally responsible for protecting Participant privacy while Data is in under our control. The Researcher is responsible for protecting Participant privacy when they take control of the Data by extracting or downloading the Data from Prometheus systems.
Prometheus will process the Data to the extent necessary to provide services to Researchers and will make the Data securely available to authorized agents of the Researcher.
Prometheus will never transfer Data to a third-party except under direct written request of the Researcher. In terms used by commercial websites: there is no “onward transfer.”
To protect the Data under our control, Prometheus takes industry-standard technical security measures appropriate to storing PHI: Data is encrypted both at rest and in transit, access privileges are granular, access is logged, system modifications are monitored, all servers that store the Data are kept in a secure environment.
Prometheus employees do not actively view or use the data; they interact with the data only to the extent necessary to accomplish system maintenance, administration, or diagnostic tasks for our Researchers. Only those employees that need access to the data to perform a specific work function are granted access to the data. All Prometheus employees with access to the Data have signed confidentiality agreements, have been trained on privacy practices, including HIPAA requirements, and must complete annual refresher privacy trainings.
Your Access to and Control Over Information
Because Researchers own and control the Data, any request about the data should be directed to the relevant research organization. Their contact information, and your rights relative to the Data you have already provided will be available in the Informed Consent Document. You can view the Informed Consent for each study you have agreed to participate in on the Consents page of the Patient Portal application.
Who do I contact if I have questions or complaints?
General questions about this policy or any complaints arising out of your experience with the Patient Portal can be sent to email@example.com.
If you have a serious or urgent concern, you can also contact our Chief Privacy Officer directly at firstname.lastname@example.org.