Website privacy and security11/11/2019
HIPAA NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
EFFECTIVE DATE OF NOTICE: August 4, 2023.
Cytometry Specialists, Inc. (“CSI” or “Company” or “we” or “us”) is required by law to provide individuals with notice of its legal duties and privacy practices with respect your “Protected Health Information” (“PHI”) (defined below). This Notice describes the privacy practices of CSI, its employees, and other personnel with respect to PHI.
CSI and the members of its workforce are committed to protecting the privacy and confidentiality of your personal information, genetic information, and laboratory test results.
CSI is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to keep your Protected Health Information confidential. This Notice describes our legal duties and privacy practices and explains your patient privacy rights. When we use or disclose your Protected Health Information, we are required to abide by the terms of this Notice.
What is protected health information
Protected Health Information is your demographic information, medical history, laboratory results, insurance information, and other health information that is collected, generated, used, and communicated by CSI to produce genetic testing results and bill for our testing services. Examples of PHI include your name, date of birth, medical record number, social security number, insurance beneficiary number, and genetic information.
How we use and disclose your health information
Your PHI may be used and disclosed for treatment, payment, healthcare operations, and other purposes permitted or required by law, as outlined in more detail below.
- Treatment: We may use or disclose your PHI for treatment purposes. For example, we may use your Protected Health Information to perform our testing services and disclose your genetic testing results to your physician and other providers involved in your care.
- Payment: We may use or disclose your Protected Health Information to obtain payment for healthcare services we provide. For example, we may use and disclose your information to send a bill to your insurance company or health plan to receive payment for the services provided to you.
- Health Care Operations: We may use and disclose your Protected Health Information for our healthcare operations. For example, we may use your PHI to monitor the quality of our testing services and review the competence and qualifications of our laboratory professionals.
- Persons Involved in Your Care of Payment for Your Care: We may disclose your Protected Health Information to persons involved in your care or payment for your care, such as a family member, relative, or close friend, unless you object or ask us not to.ersonal Representatives: We may disclose Protected Health Information about you to your authorized personal representative, such as a lawyer, administrator, executor, or other authorized person.
- Minors’ Protected Health Information: We may disclose Protected Health Information about minors to their parents or legal guardians.
- Disclosures to Business Associates: We may disclose your Protected Health Information to other companies or individuals, known as “Business Associates,” who provide services to us. For example, we may use a company to perform billing services on our behalf. Our Business Associates are required to protect the privacy and security of your Protected Health Information and notify us of any improper disclosure of information.
- As Required by Law: We must disclose your Protected Health Information when required to do so by any applicable U.S. federal, state, or local law.
- Public Health Activities: We may disclose your PHI for public health-related activities. Examples include: reporting diseases to authorized public health authorities, public health investigations, or notifying a manufacturer of a product regulated by the U.S. Food and Drug Administration of a possible problem encountered when using the product in our testing process.
- Health Oversight Activities: We may disclose your PHI to a healthcare oversight agency for activities that are authorized by U.S. law, such as audits, investigations, inspections, and licensure activities. For example, we may disclose your PHI to agencies responsible for ensuring compliance with the rules of government health programs such as Medicare or Medicaid.
- Research: Under certain circumstances, we may use or disclose your Protected Health Information for research purposes. All research projects at CSI are subject to review by a committee responsible for ensuring the protection of individual research subjects, appropriate patient authorization, and an adequate plan to safeguard PHI. In preparation for research, we may review limited PHI to draft research protocols, to identify prospective research participants, or for similar purposes, provided the information is not removed from our premises.
- Judicial and Administrative Proceedings: Under certain circumstances, we may disclose your PHI in the course of a judicial or administrative proceeding in response to a court order, subpoena, or other lawful process.
- Law Enforcement: We may disclose your Protected Health Information to the police or other law enforcement officials as required by law or in compliance with a court order, warrant, subpoena, summons, or other legal process for locating a suspect, fugitive, witness, missing person, or victim of a crime.
- Threats to Health or Safety: We may disclose Protected Health Information to prevent or reduce the risk of a serious and imminent threat to the health or safety of an individual or the general public.
- Victims of Abuse, Neglect, or Violence: If required or authorized by law, we may disclose Protected Health Information to a government agency, such as social services or a protective services agency, if we reasonably believe that an individual adult or child is the victim of abuse, neglect, or domestic violence.
- For Appointment Reminders and Information: We reserve the right to contact you, in a manner permitted by law, with appointment reminders or information about treatment alternatives and other health related benefits that may be appropriate for you.
- Emergencies: We may disclose medical information about you to a public or private entity assisting in disaster relief, so that your family can be notified about your condition, status, or location. You may object to this disclosure with a written request. However, if you are not available or are unable to agree or object, or in some emergency circumstances, we will use our professional judgment to decide whether this disclosure is in your best interest.
- Workers’ Compensation: We may release medical information about you for workers’ compensation or similar programs, including programs that provide benefits for work-related injuries or illness.
- Decedents: We may release medical information about you to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release medical information about you to funeral directors. We may also release information to any individual known to us as a family member, close personal friend of the family, or any other person identified, who was involved in your care or the payment for your care prior to your death, unless you had indicated otherwise. If otherwise permitted by law, your medical information may be used or disclosed to others without your authorization after 50 years from the date of your death.
- For Specialized Government Functions: We may disclose medical information about you to authorized federal officials for intelligence, counter intelligence, and other national security activities.
- Information About Inmates / Those in Custody: If you are an inmate or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official responsible for you, as authorized or required by law.
- Information About Students or Employees: If you are a student, employee, or member of an organization with which we have a contractual testing arrangement, we may release medical information about you to your organization, as authorized or required by law.
- All Other Uses and Disclosures of PHI: We will ask for your written authorization before using or disclosing your Protected Health Information for any purpose not described above. You may revoke your authorization, in writing, at any time, except for disclosures that the company has already acted upon. A revocation of authorization must be submitted to the Privacy Officer at the address listed below.
YOUR RIGHTS REGARDING YOUR MEDICAL INFORMATION
You have the following rights with respect to your Protected Health Information. To exercise any of these rights, please contact our Privacy Officer using the contact information provided at the end of this Notice.
- Access to PHI: You, or your authorized or designated personal representative, have the right to inspect and copy the Protected Health Information maintained by us. We may deny access to certain information for specific reasons, for example, where Federal and state laws regulating laboratories prohibit us from disclosing genetic testing results directly to a patient.
- Restrictions on Uses and Disclosures: You have the right to request restrictions on our use and disclosure of your Protected Health Information. You also have the right to request a restriction on the Protected Health Information we disclose about you to someone who is involved in your care or payment for your care, such as a family member or friend. Except as described in this section, we are not required to agree to your request. We must agree to your request if the disclosure has been made to a health plan for the purpose of payment or health care operations and the disclosure relates to an expense for which you have been paid out of pocket. To request restrictions, you must send a written request to firstname.lastname@example.org.
- Confidential Communications: You have the right to request that we communicate with you about your Protected Health Information by alternative means or to an alternative address. Your request must be in writing and must specify the alternative means or location. We will accommodate reasonable requests for confidential communications.
- Correct or Update Information: If you believe the Protected Health Information we maintain about you contains an error, you may request that we correct or update your information. Your request must be in writing and must explain why the information should be corrected or updated. We may deny your request under certain circumstances and provide a written explanation.
- Accounting of Disclosures: You may request a list, or accounting, of certain disclosures of your Protected Health Information made by us or our business associates for purposes other than treatment, payment, healthcare operations, and certain other activities. The request must be in writing, and the list will include disclosures made within the prior six years.
- Copy of Notice: Upon request, you may obtain a paper or electronic copy of this Notice.
We are required to notify you following the discovery a breach of unsecured Protected Health Information, unless there is a demonstration, based on a risk assessment, that there is a “low probability” that the Protected Health Information has been compromised. You will be notified in a timely fashion, no later than 60 days after discovery of the breach.
QUESTIONS AND COMPLAINTS
If you have questions or concerns about our privacy practices or would like a more detailed explanation about your privacy rights, please contact our Privacy Office using the contact information below.
If you believe that we may have violated your privacy rights, you may submit a complaint to our Privacy Officer. You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request. CSI will not take retaliatory action against you and you will not be penalized in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.
CHANGES TO OUR NOTICE OF PRIVACY PRACTICES
We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law. We will promptly post any changes to this Notice on our website at www.csilaboratories.com. Please review this website periodically to ensure that you are aware of any updates.
When communicating with us regarding this Notice, our privacy practices, or your privacy rights, please contact the Privacy Officer using the following contact information:
Cytometry Specialists, Inc.
ATTN: Privacy Officer
2580 Westside Parkway
Alpharetta, GA 30004
If you are located in the European Economic Area, the United Kingdom, or Switzerland, please see our EEA/UK/Switzerland Privacy Notice.
If you are a California resident, please see our California Privacy Notice. Please note that rights afforded under the California Consumer Privacy Act of 2018 do not apply to PHI and are instead protected by HIPAA, as discussed above.
We may revise this Policy from time to time. All updates will be posted on this web page. If we make any material changes in the way your personal information is handled, we will notify you by email (sent to the email address specified in your account) or by means of a notice on our Website prior to the change becoming effective.
TYPES OF PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT
Depending on which of our Services are being used, or which individual (provider or patient) is involved, CSI processes and stores different combinations of personal information as set forth in this Policy.
PATIENTS’ PERSONAL INFORMATION
We may collect, process, generate, and share individually identifiable personal information of patients, including the following categories either directly or through third parties (for example health care providers):
- Personal details (including first and middle name, last name, birth date and/or age)
- Family relationships (if applicable)
- Address and other contact information
- Disease, diagnosis, or other similar health information
- Symptoms and other medical information
- Information on patient’s insurance (where provided)
- Payment information for services (where provided)
- Identifiable genetic information
- Genetic, COVID-19, or other test results and findings
Certain individually identifiable personal information of patients is protected by HIPAA in the United States, and we have described how we may use this information in our HIPAA Notice of Privacy Practices. How we use health information protected by GDPR is described in our EEA/UK/Switzerland Privacy Notice.
CSI engages in research and development, which helps us improve our Services and build new Services and customized features or Services. For the genetic tests that we perform, you may elect to consent to research at the time the test is requested. If you consent to research, your personal information and remaining sample may be stored and processed for up to 20 years for the further purposes specified in the applicable Informed Consent Form and/or Test Requisition Form; and it may be retained in an anonymized form to support further research, development, and improvement of diagnostic methods and potential therapeutic developments.
PERSONAL INFORMATION COLLECTED FROM PROVIDERS
In order to provide the Services requested (including testing, billing, etc.), we will collect and process the following personal information from providers:
- Personal details (including name, address)
- Phone and fax number
- Business address and department
- Email address
- Payment information (where provided)
This collection and processing is done for the purpose of performing a contract between CSI and the provider and providing the Services. For example, provider personal information will be processed to inform the provider of the patient’s test results, respond to other requests from the provider, and for invoicing. CSI stores provider personal information for as long as we need it to provide you our Services, to serve the purpose(s) for which your personal information was processed, or as necessary to comply with our legal obligations, resolve disputes, or enforce our agreements to the extent permitted by law.
We may also use provider personal information to share marketing information about our Services; and to do so, we may process your contact information or information about your interaction with our Services so that we can send you marketing communications; provide you with information about events, webinars, or other materials; deliver targeted marketing to you; and keep you updated about our Services. You can opt-out of our marketing activities at any time by using the “unsubscribe” link in our email communications or by contacting email@example.com.
INFORMATION COLLECTED FROM VISITORS TO OUR WEBSITE
Generally, individuals are able to visit the www.csilaboratories.com site without disclosing personal information, except as may be necessary to provide a product or service at their request or for advertising purposes. In some cases, we may recognize personal data like the IP address as well as non-personal data like the name of the visitor’s Internet service provider, the website from which the visitor came to our Website, the pages that the visitor views on the Website, and what the visitor clicks on any given page. This data could possibly identify an individual, but CSI does not use it to do so.
PERSONAL INFORMATION YOU SUBMIT: CSI collects personal information that you provide to us on the Website, such as when you enter information into data fields and web forms on the Website, provide to us in-person at conferences and other events, or otherwise interact with us at such conferences and events. For example, you may submit your name, phone number, postal address, e-mail address, and/or other information in order to receive information about CSI or its products and services, register for CSI programs, contact CSI, or respond to CSI surveys. Additionally, if you are a clinician working with us, we collect certain additional information such as your NPI number and other information to establish accounts with us. In instances where social media services may be used, we do not have any influence on the storage and processing of providing personal information via the respective social media service. You are encouraged to review those privacy policies before sending CSI personal information via a social media service.
PASSIVE COLLECTION OF NON-PERSONAL INFORMATION: CSI sites may collect information about your visits and use of the Website without you actively submitting such information. This information does not identity you. Non-personal information may be collected by CSI and our site using various technologies, such as cookies, Internet tags, and web beacons. Your Internet browser automatically transmits to CSI and our site some of this non-personal information, such as the URL of the website you just visited and the browser version your computer is operating. Passive information collection technologies may make your use of the Website easier by allowing CSI and our site to provide better service, customize sites based on consumer preferences, learn which advertisements and features bring users to our site, compile statistics, analyze trends, and otherwise administer and improve our site. We may collect, use, store, and transfer non-personal information without restriction.
“DO NOT TRACK”: Some browsers have a “do not track” or “global privacy control” or “GPC” features that allow you to tell websites that you do not want to have your online activities tracked. For California residents, you may exercise your GPC rights by utilizing the available features on our Website.
APPLICANT INFORMATION: If you apply to a position with us through the Website, we collect personal information you provide in connection with your application such as your resume, cover letters and demographics. We may use third party platforms to assist us with processing your application. If you are a California resident, please see our California Privacy Notice and our California Notice to Job Applicants.
AGGREGATE INFORMATION: Aggregate information is information that does not identify you. Aggregate information may be collected when you visit the Website, independent of any information you voluntarily enter. Additionally, we may use one or more processes to de-identify information that contains personal information, such that only aggregate information remains. We may collect, use, store, and transfer aggregate information without restriction.
How we use personal information that we collect online
We generally only use personal information for the purposes for which we have collected it, for operating our business, and for other purposes for which we obtain your consent. For example, we may use your personal information: (1) to provide you with the products of services that have been requested by your healthcare provider acting on your behalf; (2) to answer questions or respond to your inquiries about our company, services, billing, payment methods, or use of the Website; (3) to process or collect payments for our services. Per your request, we may contact you to resolve billing issues or to reply to your request for other documentation.
In addition to the purposes listed above, we may use personal information:
- To set up your account and to provide our site and services;
- To optimize the Website and your experience using it;
- To identify and authenticate your access to certain features of the Website;
- To communicate with you in order to keep you informed of our latest updates and features;
- To assess your candidacy for a position that you applied to and to facilitate your employment application;
- To perform research or to conduct analytics in order to improve and customize the Website to our users’ needs and interests;
- To market our products and services to you (to the extent permitted under HIPAA and other laws, where applicable);
- To detect and prevent illegal activity or any other type of activity that may jeopardize or negatively affect the integrity of the Website;
- To support and troubleshoot our site, respond to your inquiries, and communicate with you;
- To comply with our legal obligations; and
- To investigate violations and enforce our policies, and as required by law, regulation, or other governmental authority; or to comply with a subpoena or similar legal process or respond to a government request.
INFORMATION WE SHARE
Subject to the limitations described in our HIPAA Notice of Privacy Practices, California Privacy Notice, California Notice to Job Applicants, and the EEA/UK/Switzerland Privacy Notice (which are available on our Website), CSI may disclose your personal information as follows:
- Our operations as a laboratory. Protected health information may be shared for treatment, billing and payment, laboratory operations, and other purposes described herein and in our HIPAA Notice of Privacy Practices and EEA/UK/Switzerland Privacy Notice, as applicable.
- Our service providers, vendors, and other processors. We may share your personal information with our service providers or other vendors and processors that help us provide our Services to you, which, in limited circumstances, may access information from a different location than where the information was collected. Such entities will be given access as is reasonably necessary to provide our Services, and only under contractual obligations that are at least as restrictive as this Policy and are in compliance with applicable privacy laws. Agents, vendors, and service providers who may have access to protected health information and other special categories of personal data are contractually and/or legally obligated to protect the privacy and security of such information pursuant to applicable laws. Your payment information is transmitted directly to our third-party payment processor. We do not store any credit card information on CSI servers.
- Affiliated businesses. We may share your personal information with group companies and affiliates. Affiliated businesses may use your information to help provide, understand, and improve our Services and the affiliates’ own services.
- Data Sharing. Where prohibited, protected health information collected from users and patients based in the USA or in the EEA/UK/Switzerland region will not be shared outside the United States.
- Change of control. We may share your personal information as part of a purchase, transfer, or sale of the Services or the company (for example, a corporate restructuring, merger or consolidation with, or sale of substantially all of our assets to a third party).
- Safety and legal compliance. We may share your personal information if we believe that such disclosure is necessary to comply with applicable laws, regulations, legal processes, or requests by public authorities (e.g., law enforcement, tax authorities, etc.); to protect you, us, or other users’ rights or property; to protect safety and security in connection with our Services; or to comply with or enforce our terms, agreements, or policies.
- Your consent or express actions. We will share personal information when we have your consent to do so. Also, any information or content that you voluntarily disclose for posting in public areas of our Website, such as public comments or social media posts, become available to the public.
- Anonymous or aggregate data. We may share anonymized or aggregated information with third parties. Such information is de-identified in accordance with applicable law, no longer reasonably identifies you, and is not considered personal information.
HOW WE USE AND DISCLOSE DE-IDENTIFIED, ANONYMIZED, OR PSEUDONYMIZED INFORMATION
- For testing quality control and validation:
- In accordance with regulatory requirements, we may de-identify, store, and use patients’ samples and information for internal testing quality control, validation, genetic testing, and research and development. This important purpose allows CSI to maintain our high-quality Services and to develop and improve new Services.
- For genetic testing services, we may also share de-identified patients’ samples and information for quality assurance and validation purposes. Such sharing is essential to maintaining the quality of genetic testing in testing laboratories in accordance with regulatory requirements.
- For research purposes:
- For infectious disease testing, we may contribute viral genetic variants that we have observed in the course of providing services to the Centers for Disease Control.
- For genetic testing services, we may contribute de-identified human genetic variants that we have observed in the course of providing our Services to publicly available databases.
- For genetic testing, cancer screening, and biopsy testing services, we may use or disclose de-identified patient information for general research purposes. This may include research collaboration with third parties, such as universities, hospitals, or other laboratories, in which we utilize de-identified clinical cases at the individual level or in the aggregate; and we may present or publish such information. This may also include commercial collaborations with private companies for research purposes.
To the extent we have relied on your express consent to process de-identified or pseudonymized personal information in relation to the above (for example, if you are in the EEA, United Kingdom, or Switzerland), you may withdraw your consent to participate at any time by contacting us at firstname.lastname@example.org. CSI will not include any such de-identified or pseudonymized personal information in future research commencing within 30 days from the receipt of your request. Any research involving your data that has already been performed or published prior to the receipt of your request will not be reversed, undone, or withdrawn.
HOW WE PROTECT INFORMATION
We take the security of your personal information very seriously. We use reasonable administrative, physical, and technical safeguards to secure the personal information you share with us, including, where relevant, in compliance with applicable law. Our efforts include, but are not limited to, using industry standard tools such as firewalls, encryption, and intrusion detection. Your personal information is processed and stored on controlled servers with restricted access, and, if applicable, in compliance with the Security Rule of the Health Insurance Portability and Accountability Act of 1966 (HIPAA).
However, since the Internet is not a 100% secure environment, we cannot guarantee, ensure, or warrant the security of any information you transmit to us. There is no guarantee that information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. Please recognize that protecting your personal information is also your responsibility. You should keep your username, password, ID numbers, or other access credentials secure, as CSI cannot secure personal information that you release on your own or that you request us to release. If we receive instructions using your log-in information, we will consider that you have authorized the instructions. Please do not submit any personal health information or credit card information to us via email.
You agree that you have provided notice to, and obtained consent from, any third party individuals whose personal information you supply to us, including with regard to (a) the purposes for which such third party’s personal information has been collected; (b) the intended recipients or categories of recipients of the third party’s personal information; (c) which of the third party’s information is obligatory and which information, if any, is voluntary; and (d) how the third party can access and, if necessary, rectify the information held about them.
LINKS TO OTHER SITES
Our Website is directed towards adults and is not designed for, intended to attract, or directed towards children under the age of 16. If you are under the age of 16, you must obtain the authorization of a responsible adult (parent or legal guardian) before accessing or using our Website. If we become aware that we have collected any personal information from children under 16 without appropriate authorization, we will promptly remove such information from our databases.
UNSUBSCRIBING, REMOVING, OR MODIFYING YOUR INFORMATION
To the extent you are a registered user of the Website, to modify or view personal information you have provided to us in connection with your account, please login and update your profile. In some circumstances, such as to resolve disputes, troubleshoot problems and enforce our rights, or to the extent required or permitted by applicable law, we may retain in our files information you have requested to delete. Further, your personal information may remain on our system backups after deletion. If you have an account, we may send you certain communications related to this site and/or services that are considered part of your account, such as technical alerts.
You can update, amend, or delete your account information and preferences at any time by contacting us at email@example.com. When you make a valid request, we will provide you with instructions on how to update certain personal information and how to unsubscribe from our emails and communications. Please follow the instructions when necessary to notify us of changes to your name, email address, and preferences. We will take reasonable steps to verify your identity, including via verification and confirmation emails, before granting access to your personal information.
For individuals residing in the European Economic Area (EEA), Switzerland, or the United Kingdom (collectively, the “Designated Countries”) at the time of data collection, please refer to our EEA/UK/Switzerland Privacy Notice. If you are a California resident, please refer to our California Privacy Notice.
We store your personal information for as long as we need it in connection with the Services; to serve the purpose(s) for which your personal information was processed; or as necessary to comply with our legal obligations, resolve disputes, or enforce our agreements to the extent permitted by law.
We store information used for marketing purposes indefinitely, and we collect it until you unsubscribe. Once you unsubscribe from marketing communications, we add your contact information to our suppression list to ensure we honor your unsubscribe request. If you have any questions about our retention periods, please feel free to contact us at firstname.lastname@example.org.
SPECIAL NOTICES FOR INDIVIDUALS IN CERTAIN GEOGRAPHIC AREAS
We are located in the United States and may collect, process, and store your information in the United States. If you are located outside the United States, your information may be transmitted to us in the United States. When we conduct such transfers, we rely on various legal bases to lawfully transfer your personal information from your country to the United States, including the European Commission-approved Standard Contractual Clauses. Our data protection laws may be less protective than the laws of the jurisdiction in which you reside. If you do not want your information collected, transferred to, processed, or maintained in the United States, you should not use our Services.
Additionally, our Website is hosted in the United States. If you are visiting our Website from another country, the laws governing our collection and use of personal information may be different from the laws of your country. If you decide to use our Website, or share your information with us, you are agreeing to be governed by the laws of the United States, and you agree to the transfer of your personal information to the United States.
Individuals Located in the European Economic Area, the United Kingdom, or Switzerland. If you are located in the European Economic Area, the United Kingdom, or Switzerland, applicable data protection laws, including the General Data Protection Regulation (GDPR), give you certain rights. For more information, please see our EEA/UK/Switzerland Privacy Notice.
California Residents. Pursuant to the California Consumer Privacy Act of 2018 (CCPA), California residents are afforded certain additional rights regarding our use of your personal information (“CCPA Rights”). Please note that the CCPA Rights do not apply to personally identifiable health information. If you are a California resident, please see our California Privacy Notice.
Nevada Residents. Pursuant to Nevada law, you may direct a business that operates a website not to sell certain personal information the business has collected or will collect about you. For information about your rights under Nevada law, please contact email@example.com.
Should you have any questions about this policy or our privacy practices, please send an email to firstname.lastname@example.org or write us at:
Cytometry Specialists, Inc.
ATTN: Privacy Officer
2580 Westside Parkway
Alpharetta, GA 30004
EEA/UK/Switzerland PRIVACY NOTICE
This EEA/UK/ Switzerland Privacy Notice (“Notice”) explains how Cytometry Specialists, Inc. (“CSI,” “we,” or “us”) complies with certain privacy rights specifically available to individuals (collectively, “European Residents”) located in the European Economic Area (inclusive of the European Union) (“EEA”), United Kingdom (“UK”), or Switzerland (collectively, “Designated Countries”).
Our Relationship to You
Under the GDPR, a “controller” is an entity that determines the purposes for which and the manner in which any personal information is processed. A “processor” is an entity that processes personal information on behalf of a controller.
CSI may act as a “controller” in very limited circumstances with respect to your personal information. For example, if you are an employee or an independent contractor who is a European Resident, and CSI collects your personal data, CSI is a controller of such data. Likewise, to the extent a provider enters personal information into our Provider Portal or Client Portal on our Website, CSI may be legally deemed a controller as to the information that a provider enters directly into the Website about themselves or their patients. However, at this time, CSI does not offer services to European Residents, does not have offices or locations in the Designated Areas, and does not make its Website Services generally available to consumers from the Designated Areas.
Lawful Bases for Processing Your Personal Information
We process personal information on the following legal bases: (1) with your consent, per an informed consent form from your provider; (2) as necessary to fulfill our legal obligations or contractual obligations to provide Services; and (3) as necessary for our legitimate interests in providing the Services where those interests do not override your fundamental rights and freedoms related to data privacy. To the extent that any de-identified data is anonymized, it is not considered personal data and falls outside applicable privacy laws.
Direct marketing includes any communications we send to you that are only based on advertising or promoting products and services. Transactional communications about your account or our Services are not considered “direct marketing” communications. We will only contact patients or providers by electronic means (including email or SMS) based on our legitimate interest or their consent. If you do not want us to use your personal information in this way, please click an unsubscribe link in your emails, or contact us at email@example.com.
We provide you with the rights described below when you use our Services. When we receive an individual rights request from you, please make sure you are ready to verify your identity. Please be advised that there are limitations to your individual rights. We may limit your individual rights in the following ways: (i) where denial of access is required or authorized by law; (ii) when granting access would have a negative impact on other’s privacy; (iii) to protect our rights and properties; and (iv) where the request is frivolous or burdensome. If you have questions, if you would like to exercise your rights under the applicable law, please contact us at firstname.lastname@example.org.
Right to withdraw consent. If we rely on consent to process your personal information, you have the right to withdraw your consent at any time. A withdrawal of consent will not affect the lawfulness of our processing or the processing of any third parties based on consent before your withdrawal.
Right of access and rectification. If you request a copy of your personal information that we hold, we will provide you with a copy without undue delay and free of charge, except where we are permitted by law to charge a fee. We may limit your access if such access would adversely affect the rights and freedoms of other individuals. You may request to correct or update any of your personal information held by us, unless you can already do so directly via the Services.
Right to erasure (the “right to be forgotten”). You may request us to erase any of your personal information held by us that: is no longer necessary in relation to the purposes for which it was collected or otherwise processed; was collected in relation to processing that you previously consented to, but later withdrew such consent; or was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing.
Right to object to processing. You may object to our processing at any time and as permitted by applicable law if we process your personal information on the legal basis of consent, contract, or legitimate interests. We can continue to process your personal information if it is necessary for the defense of legal claims, or under any other exceptions permitted by applicable law.
Right to restriction. You have the right to restrict our processing of your personal information where one of the following applies:
- You contest the accuracy of your personal information that we processed. In such cases, we will restrict the processing of your personal information, which may result in an interruption of some or all of the Services, during the period necessary for us to verify the accuracy of your personal information.
- The processing is unlawful, and you oppose the erasure of your personal information and request the restriction of its use instead.
- We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise, or defend legal claims.
- You have objected to processing, pending the verification of whether the legitimate grounds of our processing override your rights. In such cases, we will only process your restricted personal information with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if or when the restriction is lifted.
Right to data portability. If we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal information in a structured, commonly used, and machine-readable format, and to have us transfer your personal information directly to another “controller,” where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others.
Notification to third parties. If we share your personal information with third parties, we will notify them of any requests for rectification, erasure, or restriction of your personal information, unless this proves impossible or involves disproportionate effort.
The rights described above may be limited by local laws. Further, your right of access and deletion is not absolute and may not be available if fulfillment of such right would, among other things:
- Cause interference with execution and enforcement of the law and legal private rights (such as in the case of the investigation or detection of legal claims or the right to a fair trial).
- Breach or prejudice the rights of confidentiality and security of others.
- Prejudice security or grievance investigations, corporate re-organizations, future and ongoing negotiations with third parties, the compliance with regulatory requirements relating to economic and financial management.
- Otherwise violate the interests of others or where the burden or cost of providing access would be disproportionate.
International Data Transfers
When information of European Residents is transferred from the Designated Region to our laboratories in the United States, when legally required, we take measures aimed to provide the appropriate level of data protection, including ensuring that such transfers are governed by the Standard Contractual Clauses or other similar applicable and legally acceptable mechanisms.
Complaints or Questions
If you believe we have infringed or violated your privacy rights, please contact us, so that we can work to resolve your concerns: email@example.com.
You may also contact our EU Representative, DataRep, here.
You also have a right to lodge a complaint with a competent supervisory authority situated in a Member State of your habitual residence, place of work, or place of alleged infringement. Relevant contact details can be found here for the EEA, here for the UK, and here for Switzerland.
CALIFORNIA PRIVACY NOTICE
This California Privacy Notice applies solely to California residents and their personal information, as covered under the California Consumer Privacy Act of 2018, and as amended (“CCPA”). The CCPA provides California residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Information” (“PI”), as well as rights to know/access, correct, delete, and limit sharing of Personal Information. The CCPA defines “Personal Information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Cytometry Specialists, Inc.’s (“CSI”) core business is generally not subject to the CCPA. This California Privacy Notice does not apply to information we collect that is “medical information” governed by the California Confidentiality of Medical Information Act or “protected health information” (“PHI”) governed by the privacy, security, and breach notification rules of HIPAA because this information is not within scope of the CCPA. For example, this California Privacy Notice does not apply to the information we collect from you in connection with laboratory testing, your test results, or other information that may legally be deemed PHI. See our HIPAA Notice of Privacy Practices for information on our use and disclosure of medical information and other protected health information.
Certain other information we collect may also be exempt from the CCPA because it is considered public information (i.e., it is made available by a government entity) or covered by another specific federal privacy law. To the extent that we collect Personal Information that is subject to the CCPA, that information, our practices, and your rights are described below.
What We Collect
We may collect Personal Information from our employees and/or job applicants who are California residents in a variety of different situations and using a variety of different methods, including, but not limited to, in-person, on our website, on our networks, your personal mobile device, company-issued devices, through email, in physical locations, through written applications, through the mail, and/or over the telephone. Additionally, we may collect job applicants’ Personal Information from other businesses that collect and provide or sell it to third parties in connection with job recruiting.
The list below describes: (1) the categories of Personal Information that we may collect about our consumers who are California residents or may have collected about them in the preceding 12 months; and (2) the categories of California residents’ Personal Information that we may have disclosed for a business purpose.
- Identifiers: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers or registration information, web behavior information. We use these to provide our services.
- Personal Information categories described in Cal. Civ. Code § 1798.80(e):
- For our website visitors and customers: address, telephone number, bank account number, credit or debit card number, other financial information, medical information, health insurance information.
- Protected Classifications under California law: Race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth, and related medical conditions), sexual orientation, and veteran or military status. Generally, this information is collected (if at all) because you or your provider provides it directly to us. Certain elements may be developed or analyzed by CSI in relation to our Services.
- Commercial information: Information such as products or services ordered or purchased by your provider, obtained, or considered; survey responses; information about you or your provider.
- Internet or other electronic network activity information: Web-behavior information such as data generated from your use of our Websites and collected through log files, cookies, web beacons, and similar technologies. Such information may include your browser type, domains, page view, how long you spent on a page or feature of the Websites, what pages you looked at, or other data about your engagement with the Websites or the Services.
- Audio, electronic, visual, thermal, olfactory, or similar information: Generally, this information would be collected directly from you, or passively collected from you on our Websites. For example, we may record calls for monitoring and customer-service purposes, and we may utilize video surveillance for safety purposes at our physical locations.
- Professional or employment-related information: Education, occupation, and other professional information collected when you apply for a job with CSI. Please see our Privacy Notice to California Job Applicants.
- Sensitive Personal Information:
- For our website visitors and customers: account log-in; financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation (IP address and/or GPS location, latitude & longitude); and personal information collected and analyzed concerning a consumer’s health.
How We Will Use Your Personal Information
We may use your Personal Information for one or more of the following business purposes:
- To fulfill or meet the reason for which the Personal Information is provided.
- To provide you with information about our products or services that you request from us.
- To provide you with email alerts and other notices concerning our products or services, or events or news that may be of interest to you.
- To carry out our obligations and enforce our rights arising from any contracts entered into between you and us.
- To improve our Website.
- For product development.
- As necessary or appropriate to protect the rights, property, or safety of us or others.
- To respond to law enforcement requests, and as required by applicable law, court order, or governmental regulations.
We will not use the Personal Information we have collected for materially different, unrelated, or incompatible purposes other than those listed above without providing you notice. We limit our use of Sensitive Personal Information to that use which is necessary to perform the Services or provide the goods reasonably expected by an average consumer who requests such goods or Services.
Sale and Sharing
We do not sell your Personal Information for monetary payments. We also have not shared (as that term is expressly defined in the CCPA) any Personal Information subject to the CCPA in the past twelve (12) months. However, we may have made certain categories of information available to third party analytics providers (including for cross-context behavioral advertising) in the past twelve (12) months, which may constitute “sharing” of your personal information under current legal standards. These categories of information include: IP addresses and web-behavior information such as data generated from your use of our Websites and collected through log files, cookies, web beacons, and similar technologies. Such information may include your browser type, domains, page view, how long you spent on a page or feature of the Websites, what pages you looked at, or other data about your engagement with the Websites or the Services.
Your Rights Under the CCPA
- Right to Know/Access Information
You have the right to request access to Personal Information collected about you and information regarding the source of that information, the purposes for which we collect it, and the third parties and Service Providers with whom we share it. Specifically, you have the right to request that we disclose the following information to you, limited to the preceding twelve months: (1) the categories of Personal Information that we collected about you; (2) the categories of sources from which the Personal Information is collected; (3) the business or commercial purpose for collecting, selling or sharing Personal Information; (4) the categories of third parties to whom we disclose Personal Information; (5) the specific pieces of Personal Information that we have collected about you; (6) the categories of Personal Information that we disclosed about you for a business purpose, sold or shared to third parties; and (7) for each category of Personal Information identified, the categories of third parties to whom the information was disclosed, sold or shared. You may submit such a request as described below.
To protect our customers’ Personal Information, we are required to verify your identity before we can act on your request. We are only required to respond to such requests from you twice in a twelve-month period.
- Right to Request Deletion of Information
You have the right to request, in certain circumstances, that we delete Personal Information that we have collected directly from you, subject to certain exceptions. You may submit such a request as described below. To protect our customers’ Personal Information, we are required to verify your identity before we can act on your request. We may have a reason under applicable law, rule, order, or regulation why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.
- Right to Correct Inaccurate Personal Information
You have the right to request that we correct inaccurate Personal Information that we maintain about you. However, in some cases, we may deny requests to correct inaccurate Personal Information, or may alternatively delete such personal information.
- Right to Opt-Out
We do not sell your Personal Information for monetary payments. However, the definitions of “personal information” and “sale” under the CCPA are broad. Because of the breadth of these definitions under the CCPA, and the uncertainty surrounding the meaning of “sharing” and “sale,” we have provided opt-out instructions.
You have the right to direct us not to sell your Personal Information. You may exercise your opt-out rights by emailing your request to firstname.lastname@example.org or by calling us at 678-248-8000.
- Right of No Retaliation Following Exercise of Rights
We will not discriminate against any individual for exercise of any CCPA rights.
How to Submit a Request
You may submit a request to exercise your rights to know/access, correct or delete your Personal Information by emailing your request to email@example.com or by calling us at 678-248-8000.
In order to process your request to know/access, correct or delete Personal Information we collect, disclose, share or sell, we must verify your request. We do this by asking you to provide personal identifiers we can match against information we may have collected from you previously.
You may authorize another individual or a business registered with the California Secretary of State, called an authorized agent, to make requests on your behalf. We require that you and the individual complete notarized affidavits in order to verify the identity of the authorized agent and confirm that you have authorized them to act on your behalf.
Each request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or that you have duly authorized the person making the request on your behalf. We do not offer any rewards programs or incentives for the collection or sharing of data.
Retention of Personal Information
We generally use the following criteria to determine the relevant retention period: we retain Personal Information for periods of time, which range depending on the level of sensitivity of data; continued need for data (for example, to continue to provide services to you, or to continue maintaining HR files for our employees); our legal obligations; applicable statutes of limitations for potential legal claims; contractual obligations; and other similar criteria. Generally, we aim to retain data for a shorter period of time when such data is more sensitive, when its deletion will not result in significant business interruptions, and/or when there are no existing legal requirements for preserving data for a longer period of time. We extend the retention periods for information subject to a Legal Hold, for the duration of the Legal Hold.
Additionally, we strive to follow data minimization principles and to retain Personal Information for the period of time reasonably necessary to perform our services, unless retaining data for longer periods is necessary to improve or provide future services, or is done with consent, or as otherwise disclosed in our applicable privacy policies. We further aim to implement record retention periods at the system level, with the goal of minimizing data risks. Different retention periods apply to different categories of data.
Here are some examples of our current retention periods for personal information:
- User names and passwords are retained for 2 years.
- For employee data, we retain data for the duration of employment, plus up to 1 to 5 years thereafter.
- for Instant Messaging Applications, the applicable retention period is 30 days.
- For voicemails, the applicable retention period is 6 months.
- For visual, audio, and video recordings, the applicable retention period is 90 days.
- For emails sent to us by you, the applicable retention period ranges between 1-2 years.
Updates and Changes
We may update this California Privacy Notice from time to time. When we do update it, for your convenience, we will make the updated Notice available on this page. Changes and additions to the Notice are effective from the date on which they are posted.
Our Contact Information
If you have any questions regarding this Notice, please contact us:
Via Email: firstname.lastname@example.org
Via Toll-Free Number: 678-248-8000
Via U.S. Mail:
Cytometry Specialists, Inc.
ATTN: Privacy Officer
2580 Westside Parkway
Alpharetta, GA 30004
PRIVACY NOTICE TO CALIFORNIA JOB APPLICANTS
Fulgent Therapeutics LLC and/or any affiliated entities (collectively, the “Company” or “we”) provide this California Privacy Notice (“Notice”) to describe our privacy practices with respect to our collection of Personal Information as required under the California Consumer Privacy Act (“CCPA”). This Notice applies only to job applicants and candidates for employment who are residents of the State of California (“Consumers”) and from whom we collect “Personal Information” as defined in the CCPA. We provide you this Notice because under the CCPA, California residents who are job applicants qualify as Consumers. For purposes of this Notice, when we refer to Consumers, we mean you only to the extent you are a job applicant who resides in California.
Information We Collect from or About Job Applicants
We may collect Personal Information from you in a variety of different situations and using a variety of different methods, including, but not limited to, on our website, your mobile device, through email, in physical locations, through written applications, through the mail, and/or over the telephone. Additionally, we may collect your Personal Information from other businesses that collect and provide or sell it to third parties and businesses like ours in instances where we do not have a direct relationship with you. Generally, we may collect, receive, maintain, and use the following categories of Personal Information, depending on the particular purpose and to the extent permitted under applicable law:
Of the above categories of Personal Information, the following are categories of Sensitive Personal Information the Company may collect:
- Personal Identifiers (social security number; driver’s license or state identification card number; passport and visa information, including ethnic or racial origin, immigration status, and related documentation).
- Company account log-in, in combination with any required security or access code, password, or credentials allowing access to the account).
Personal information does not include:
- Publicly available information from government records.
- Information that a business has a reasonable basis to believe is lawfully made available to the general public by the job applicant or from widely distributed media.
- Information made available by a person to whom the job applicant has disclosed the information if the job applicant has not restricted the information to a specific audience.
- De-identified or aggregated information.
How We Use Personal Information and Sensitive Personal Information
The Personal Information and Sensitive Personal Information we collect, and our use of Personal Information and Sensitive Personal Information, may vary depending on the circumstances. This Notice is intended to provide an overall description of our collection and use of Personal Information and Sensitive Personal Information. Generally, we may use or disclose Personal Information and Sensitive Personal Information we collect from you or about you for one or more of the following purposes:
- To fulfill or meet the purpose for which you provided the information. For example, if you share your name and contact information to apply for a job with the Company, we will use that Personal Information in connection with your candidacy for employment.
- To comply with local, state, and federal law and regulations requiring employers to maintain certain records (such as immigration compliance records, travel records, personnel files, wage and hour records, payroll records, accident or safety records, and tax records), as well as local, state, and federal law, regulations, ordinances, guidelines, and orders relating to COVID-19.
- To evaluate, make, and communicate decisions regarding your job application and candidacy for employment.
- To obtain and verify background check and references.
- To communicate with you regarding your candidacy for employment.
- To evaluate and improve our recruiting methods and strategies.
- To engage in lawful monitoring of job applicant activities and communications when they are on Company premises or are utilizing Company internet and WiFi connections, computers, networks, devices, software applications or systems.
- To evaluate job applicants and candidates for employment or promotions.
- To obtain and verify background checks on job applicants and to verify employment references.
- To engage in corporate transactions requiring review or disclosure of job applicant records subject to non-disclosure agreements, such as for evaluating potential mergers and acquisitions of the Company.
- To promote and foster diversity, equity, and inclusion in the workplace.
- COVID-19 RELATED PURPOSES:
- To reduce the risk of spreading the disease in or through the workplace.
- To protect job applicants and everyone else at Company workplaces from exposure to COVID-19.
- To comply with local, state, and federal law, regulations, ordinances, guidelines, and orders relating to COVID-19, including applicable reporting requirements.
- To facilitate and coordinate pandemic-related initiatives and activities (whether Company-sponsored or through the U.S. Center for Disease Control and Prevention, other federal, state and local governmental authorities, and/or public and private entities or establishments, including vaccination initiatives).
- To identify potential symptoms linked to COVID-19 (including through temperature checks, antibody testing, or COVID-19 questionnaire).
- To permit contact tracing relating to any potential exposure.
- To communicate with job applicants and other consumers (including employees and visitors to our workplace) regarding potential exposure to COVID-19 and properly warn others who have had close contact with an infected or symptomatic individual so that they may take precautionary measures, help prevent further spread of the virus, and obtain treatment, if necessary.
- To evaluate, assess, and manage the Company’s business relationship with vendors, service providers, and contractors that provide services to the Company related to recruiting or processing of data from or about job applicants.
- To improve job applicant experience on Company computers, networks, devices, software applications or systems, and to debug, identify, and repair errors that impair existing intended functionality of our systems.
- To protect against malicious or illegal activity and prosecute those responsible.
- To prevent identity theft.
- To verify and respond to consumer requests from job applicants under applicable consumer privacy laws.
Sale/Sharing of Information to Third Parties
The Company does not and will not sell your Personal Information or Sensitive Personal Information for any monetary or other valuable consideration. The Company does not and will not share your Personal Information or Sensitive Personal Information for cross-context behavioral advertising.
By signing below (or by clicking “ACCEPT” or “OK” or “AGREE” or checking the box), I acknowledge and confirm that I have received and read and understand this disclosure, and I hereby authorize and consent to the Company’s use of the personal information and sensitive personal information it collects, receives, or maintains for the business purposes identified above.
Job Applicant’s Signature: _______________
Print Your Full Name: _______________
Unless we ask for your explicit consent, by accessing or using our Services, you accept the data practices and terms detailed in this Policy. If you do not agree with this Policy, please discontinue your access or use of our Services immediately. This Policy does not apply to services offered by other companies or other sites linked from our Services.
Amendments to this Policy
We may update this Policy at any time. You will be notified if we make any material changes to this Policy when you first visit our Services after the change or via email. In the event we send you an email notice, we will use the email address we have on file. We will update the Last Updated date at the top of this Policy when we make changes to this Policy.
What is a cookie?
Cookies are small data files that we transfer to your device to collect information about your use of our Services to help us understand you better. Cookies can be recognized by the website that downloaded them or other websites that use the same cookies. This helps websites know if your browsing device has visited them before.
We allow selected third parties to place cookies through our Services to provide us with better insights into the use of the websites and more. Cookies on our Services that are supplied by us are called “first-party cookies,” while cookies on our Services that are provided by third parties are called the “third-party cookies.” Third-party cookies are operated by third parties that can recognize your device across the Internet, such as when you visit other websites or mobile apps. CSI does not control how third-party cookies are used, and we encourage you to check the websites of any third-party cookie providers for more information about how they use cookie information.
Are cookies “personal information”?
CSI generally treats data collected by cookies and other tracking technologies as non-personal information. Some cookies are used to collect anonymous information on the pages visited, while others may collect IP addresses, user IDs, or similar identifiers that are considered personal information by local law. In instances where the local law recognizes such information as personal we treat the cookie information with identifiers as personal information. If we combine non- personal information with personal information, then the combined information will be treated as your personal information for as long as it remains combined.
Cookies can serve a variety of purposes. For example, cookies can tell save your website preferences, tell us which pages are most popular, alert us when certain pages are receiving error messages, or provide you with a secure browsing session on our Services. Such information helps us improve and optimize our Services.
Types of cookies collected by CSI
We use the cookies described below on our Services:
How long does CSI store cookie data?
Our cookie data retention periods vary on the type of cookie. A “session cookie” collects and stores information about your interactions with our Services and is deleted after you close your browser. A “persistent cookie” saves information about you for longer periods of time, such as your registration ID and login password for future logins to our Services. The retention period for persistent cookies vary and are dependent on the purpose of the cookie collection. If you are concerned about your cookies, you can delete cookie data as described below.
How to manage cookies via your browser settings
You can prevent cookies from being stored on your hardware by selecting “do not accept cookies” in your browser settings. Please refer to the instructions of your browser manufacturer to find out how this works in detail. You can delete cookies already set on your computer at any time. If you do not accept cookies, however, this can lead to functional restrictions of our Services. You can also find out more information about how to change your browser cookie settings at www.allaboutcookies.org.
Our Website also uses Google Analytics to provide us information about the use of our Website. This information will be transmitted to and stored by Google on servers in the United States. Google uses this information on behalf of CSI for the purpose of evaluating the use of our Website, compiling reports on Website activity, and providing us other services relating to Website activity and internet usage. Your IP address conveyed within the scope of Google Analytics is not associated with any other data held by Google.
You can opt-out from being tracked by Google Analytics as described at Google Analytics: https://tools.google.com/dlpage/gaoptout (requires you to install a browser add-on)