THREEWIRE® – PRIVACY AND SECURITY POLICY
ThreeWire is dedicated to expediting the clinical trial process and marketing specialty products direct to targeted patients for medical device, biotechnology and pharmaceutical companies with existing or proposed innovative healthcare solutions. We do this through assisting with identifying, screening, referring and/or enrolling patients.
Clinical trials are the cornerstone for validating the efficacy, safety and clinical outcomes of investigational drugs, therapies and devices prior to market availability. The process for obtaining the required regulatory approval to bring products to market is extremely rigorous. ThreeWire specializes in providing services to reach, screen and process clinical trial participants. We also assist firms with identifying patient candidates for products that have regulatory approval for marketing within selected countries and subsequently connecting those patients with qualified physicians. As part of these processes, individuals are requested to provide and entrust ThreeWire with confidential and/or personal information (“Personal Information”). ThreeWire has adopted the following privacy and security policy (“Policy”) to ensure participants that their Personal Information will be protected by fair trade practices and in accordance with all applicable laws, including requirements under the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), the EU-US Privacy Shield, the US-Swiss Safe Harbor, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), as well as the applicable patient and consumer data privacy laws of other countries within which we provide services.
ThreeWire is committed to protecting your Personal Information. We use secure, encrypted computer systems to store your information using best-practice standards to keep your information from being seen by anyone that should not see it. This Policy explains what information we may gather, and for what purpose. You may contact us with questions about this Policy or to place restrictions on the use of your Personal Information outside of the scope of this Policy.
In addition to our personal commitment to protect your Personal Information, ThreeWire has enacted an Information Security Management System that has been certified by a third-party accreditation authority to be compliant with ISO 27001:2013, an information security standard. ISO 27001 is a comprehensive set of information security requirements and quality benchmarks that represent the highest level of practices and standards for information security, storage, transmission and use. ThreeWire’s processes and practices surrounding protection of your Personal Information have all been developed under tenets of this standard and we must pass regular third-party audits in order to maintain this certification.
As used in this Policy, “ThreeWire”, “us” or “we” refers to ThreeWire, Inc., a corporation formed under the laws of the State of Minnesota, USA, together with its affiliated entities, including ThreeWire GmbH, a corporation formed under the laws of the Federal Republic of Germany, and their respective successors and assigns. As used in this Policy, “you”, “your”, or “participant” refers to an individual who has elected to provide Personal Information to ThreeWire as part of the individual’s participation in a clinical trial recruitment program or other direct-to-patient outreach program. This Policy covers our website at www.ThreeWire.com as well as any website designed, programmed, hosted and managed by ThreeWire on behalf of our clients.
ThreeWire is committed to the following on your behalf:
- We will not disclose, share or distribute your Personal Information to any third party without your express permission. In cases of onward transfer of your Personal Information, ThreeWire is liable for the secure transfer of that information.
- We will strictly adhere to the requirements of HIPAA regulations as set forth by the U.S. federal government in addition to the regulations established in PIPEDA for any data collection and transfer activity in Canada.
- We will abide by the regulations established in the EU-US Privacy Shield as set forth by the European Commission and U.S. Department of Commerce. This includes the individual doctrines established in the US-Swiss Safe Harbor.
- We will maintain the integrity of your Personal Information in a private and secure system requiring strict permissions and layered access.
- Participant and Personal Information may be disclosed to third parties if required of ThreeWire in connection with a legal proceeding such as a court order; subpoena; or a matter of law enforcement or national defense. In such cases we will attempt to inform you prior to disclosure so that you may exercise any legal rights you may have to prevent it.
- We will collect, affirm and honor your communication preferences whenever a preference capability is offered by ThreeWire.
- All participants will be provided with the reasonable ability to access, update, correct, or delete their Personal Information, as appropriate.
- We will only use your Personal Information for identifying you within a given clinical trial or marketing program and/or for inclusion opportunities in future clinical trials or marketing programs for which you may be eligible, in all cases only with your consent and within the confines of regulatory and industry standards.
This Policy applies only to “Personal Information”, which is any information that can be used to identify you. Under HIPAA, some types of this information may be referred to as Personal Health Information, or PHI, which may be information describing your health, including symptoms, diagnoses, testing or test results, and medical care services and procedures including medications. It may also include information that could be used to identify you if used in conjunction with other types of information. Our Policy does not apply to situations where we may gather information from third party sources that do not identify you specifically.
Generally, we obtain Personal Information about you by virtue of you providing us with such information. The only Personal Information about you that we collect from third parties is information that you have provided through an “opt-in” process. For example, we do not have access to your medical records except in cases where we are providing services to or through a medical professional from whom you have obtained services and with whom we have an appropriate data privacy agreement in place.
We may ask you for Personal Information in various locations on our website, via email requests or other means. In some situations, you will be required to provide Personal Information because of the clinical trial or marketing program for which you are being screened or in which you are participating. For example, we will need your real name to enroll you in a clinical trial. In other cases, the information you are being asked to provide is optional. We designate which information is optional throughout our website and other study processes.
This information may be shared with the registry for the purposes of contacting and screening you for potential eligibility for this registry. The use of this information is limited to the immediate needs required to conduct our business activities and will never exceed the minimal threshold rule with the exception of instances where you give us explicit permission to contact you regarding future or applicable studies and products; or in cases where your information is requested as part of a law enforcement investigation or matter of national security.
The information we seek to collect via electronic mail, web outreach, our Patient Interaction Center® (call center) and/or physician practice services allows us to provide you (whether you are a participant, physician, or authorized caregiver) with information that is targeted specifically to you or the individual for whom you are seeking information.
WHAT TYPES OF DATA DO WE COLLECT?
The information we collect is useful in identifying when, where and how you may be eligible for the registry. We may seek Personal Information on our website or through other electronic means, through our Patient Interaction Center® (PIC), or by mail, within the processes of the registry, or otherwise from recipients of ThreeWire corporate and program communications.
Typical data collection involves only information which you provide and may include:
- Your name, email address, address and phone number.
- Demographic information such as birth date, gender and ethnicity.
- Information related to ailments, conditions or other relevant data used to identify fit to future clinical studies or marketing programs. This data is purely voluntary and is never distributed to third parties.
- Additional information about yourself so that we can provide you with further information and follow-up.
- Information we or a clinical trial or marketing program sponsor need to know to learn whether you satisfy the inclusion/exclusion requirements for a particular trial or marketing program. Typically, ThreeWire creates a brief questionnaire served as a web-form on our website and/or generated through our PIC. This is likely to ask for basic medical information as well as information relevant to your participation in this registry. If you meet the prequalification criteria, and grant ThreeWire express permission to do so, your information will be forwarded to the registration center for further evaluation.
- Information we obtain from third parties to whom you have given your Personal Information and the consent to use it for authorized purposes.
US LEGAL COMPLIANCE
The government of the United States requires protections for your health information and sets rules about who can see and obtain your health information (“health information” includes any information about your mental or physical health, your health care, payment for your health care, and any demographic information). ThreeWire’s data practices and services comply with these standards.
What are your rights over your health information? You have the right to:
- See and obtain a copy of your health information. To see or obtain a copy of your health information, write or request this information from us at the address provided herein. You may have to pay for the cost of copying and mailing your records.
- Ask for changes to your health information. If you feel that your health information is incorrect or incomplete, you can ask us to change it.
- Know how your health information is shared with others. We use your health information to screen, enroll and process your participation in clinical trials or patient marketing programs. We may also include your information in a proprietary database so that we may identify your eligibility for future trial participation or a marketed product.
ALLIANCE BUSINESS RELATIONSHIPS
We frequently provide our services by working in tandem with other businesses that we refer to as our business partners. We do not provide your Personal Information to any of our business partners without your prior permission, nor do we ever receive records or personal data from a doctor, trial investigator or any other third party without your prior permission. Our business partners have their own privacy policies, and in cases where you have given us consent to share your information with them, you should review their privacy policies, which are typically located on their websites.
OUR COMMUNICATION WITH YOU
When you register with ThreeWire you are indicating your consent to permit us to maintain your name in our database, to check your personal profile against eligibility criteria for marketed products or clinical trials that are currently seeking to enroll investigators and/or participants, and to permit ThreeWire to communicate relevant information you have identified as valuable. We may periodically contact you using the information you have provided. If you expressly request ThreeWire to keep you informed about a marketing program or trial in which you have enrolled, we will do so. If you agree, we will contact you by various means to facilitate your participation in a trial or marketing program. You may opt-out of select communications mediums at will on an individual instance basis.
At any time, you may indicate to ThreeWire that you wish to stop receiving communications from ThreeWire. Residents of the U.S., Canada, Mexico and countries within Central and South America can achieve this by contacting us through our website or providing your request in writing to: Privacy Officer, 7706 Golden Triangle Drive, Eden Prairie, MN, USA 55344. Residents of EU member nations as well as other nations not listed above can achieve this by contacting us through our website or providing your request in writing to: Privacy Officer, ThreeWire GmbH, Hanauer Landstraße 521, 60386 Frankfurt am Main, Federal Republic of Germany.
ONCE YOU BECOME PART OF A REGISTRY
Since we may have been your first point of contact related to a registry, we may be tasked with keeping you informed regarding the process even after you are enrolled. Depending on the registry, and with your consent using only information you provide to us, we may be charged with providing communications related to the registry.
DATABASE PRACTICES & SYSTEM SECURITY
We employ technology and procedures to protect the security of your Personal Information during its storage and use by us. In addition, ThreeWire, does not sell, share, rent or trade your Personal Information with third parties other than as disclosed within this Policy or with your express written consent.
FIREWALLS: We protect our servers from unauthorized access by using multiple hardware firewalls. Firewalls are controlled barriers that prevent network traffic from flowing between computers without specific permission. Data maintained on our servers, including all Personal Information and Personal Health Information, are on servers which are themselves only accessible from our proprietary software running on other servers on our network. All activity among our network servers is logged and reviewed periodically. All ThreeWire staff require passwords to access these servers and all internal activity is logged and reviewed on a periodic basis.
DATA ENCRYPTION: All Personal Information or Personal Health Information collected by us is encrypted during transmission between our servers as well as the computer from which you are accessing our web sites. We use the most current version of Transport Layer Security (TLS). TLS is an industry-standard encryption format supported by all web browsers. In most browsers, including Internet Explorer, Safari, Chrome, and Firefox, you can verify that you are viewing an encrypted and secure page by looking for a lock icon in the “location bar” or “address bar” (the area in which you typed or can see the URL of the website). The presence of an icon of closed padlock in either the left or right of the location bar (depending on your web browser) indicates the page is secure and encrypted. An unencrypted page would either display no lock icon, or the image of an open lock, depending on your browser.
RESTRICTED ACCESS: In addition to the various techniques we use to protect your Personal Information online, we take additional measures to protect this Personal Information offline. We restrict access to all information we receive or maintain, including your Personal Information. Only those employees who require access to the information to perform a specific job function (such as certain members of our information technology staff) are granted access to your Personal Information, and such access is both password-controlled and logged. All of our employees have signed Confidentiality Agreements and are educated on our security and privacy policies when they join ThreeWire, as well as being required to review our policies on a regular and periodic basis and any time our policies change.
PHYSICAL SECURITY: The physical environment in which we store personal data is also protected and secured. Servers which store Personal Information are maintained in a secure environment, within locked, access-restricted and climate-controlled rooms.
QUESTIONS, COMMENTS, AND REQUESTS REGARDING PERSONAL INFORMATION
Please address your correspondence to our Privacy Officer and include the following information: your specific question, comment, or request related to your Personal Information; your contact information and whether you would like us to contact you regarding your request.