Privacy Policy | Karius

Karius Privacy Policy and Notice

THIS KARIUS PRIVACY POLICY AND NOTICE (“NOTICE”) DESCRIBES HOW INFORMATION, INCLUDING MEDICAL INFORMATION, THAT WE RECEIVE MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

 

This Notice is related solely to the Karius Service and is different from a “Notice of Privacy Practices” governing any health care services you may receive from your health care providers.

 

This Notice is being provided to you by Karius, Inc. (“Karius”, “us”, “we” or “our”). Karius is a life sciences company focused on generating genomic insights for infectious diseases with a non-invasive Karius TestTM that helps clinicians make rapid treatment decisions.

 

This Notice describes the ways in which we collect, use, and disclose information we receive through www.kariusdx.com and other online platforms and mobile applications that we operate and that link to this Notice (the “Site”).

 

This Notice applies to our website at www.kariusdx.com (the “Site”), use of the online portal available via the Site, the Karius mobile application (the “App”) and all of the services available therein (collectively referred to in this Notice as the “Karius Service”) that may be provided by us or our affiliates.

 

Karius, as a “covered entity”, is subject to the terms of the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”). We are required by law, to maintain the privacy of “protected health information.” “Protected health information” or “PHI” includes any individually identifiable information that we obtain from you or others that relates to a patient’s past, present, or future physical or mental health, the health care services a patient has received, or payment for a patient’s health care services. We will only use and disclose PHI in accordance with HIPAA.

 

This Notice provides you with information about our practices with respect to the privacy of PHI. This Notice also discusses the uses and disclosures we may make with respect to PHI. This Notice also describes the risks of using electronic communications and electronic storage of health information. We reserve the right to change the terms of this Notice from time to time and to make the revised Notice effective for all PHI we maintain.

 

Any collection, use or disclosure of PHI by other covered entities with whom we contract is not governed by this Notice and any such collection, use or disclosure is subject to the relevant privacy policies or notices of such covered entities.

1. What information do we collect?

Karius collects industry standard data from everyone who uses the Karius Service — even if you don’t have a Karius account. This includes log data that automatically records information about your use of the Karius System. Log data includes information such as your operating system, the different actions you performed, and the IP address you used to access the Karius Service. We use this type of information to provide you with an experience that’s relevant to your location based on the IP address, to prevent Karius Service misuse, and to ensure the Karius Service is working properly. We also collect data from cookies. To see the full list of cookies we use and how we use them, please read our Cookie Policy below.

 

In connection with our performance of the Karius TestTM, performed in our CLIA-certified and CAP-accredited laboratory, we collect information that personally identifies patients including:

  • For patients, we collect PHI, including: name, birthdate, medical record number, and other characteristics that could uniquely identify a patient.
  • For medical professionals (e.g. clinician, doctor, nurses, etc.), we collect personal data such as your name, email address and phone number so that we can contact you with regards to your use of the Karius Service.

 

We will indicate if the collection and provision of certain categories of personal data is mandatory. For any such categories, we may not be able to provide you with access to the Karius Service if you do not provide us with the required information.

 

During a verbal clinical consultation between a Karius Medical Director and the treating physician, we may collect additional information that personally identifies patients.

 

Please see below for more details on the types of personal data that we may collect.

When you create a Karius account

When you create a Karius account, we ask for some personal data, including your name, email address, and telephone number.

When you contact us for help

Whenever you contact Karius for help, we collect your name and email address along with additional information you provide in your request so that we can provide you with assistance and improve the Karius Service.

Information from third parties

We may obtain PHI from third party sources (e.g. healthcare providers, insurance providers, etc.) that is necessary to provide you with the Karius Service. Examples of such personal data we may obtain from third party sources include your name and contact details.

 

2. How we use your personal data

If you are a user of the Karius Service, Karius will process PHI on behalf of the applicable covered entity client in accordance with the agreement into which we enter with such covered entity client and HIPAA. We are only to use and disclose PHI only to:

  • Perform our obligations in the course of or in connection with our provision of the Karius Service to the covered entity client (on whose behalf you are using the Karius Service).
  • Verify your identity to provide you with access to the Karius Service (e.g. generating one-time passwords); and
  • Facilitate your creation of a Karius account.

 

We may also (i) use some anonymized and de-identified data to research, understand and improve the Karius Service; to detect and protect against error, fraud or other criminal activity; and to protect the security or integrity of the Karius Service; and (ii) use and disclose aggregated, de-identified data with partners and the public in a variety of ways. If we provide this information, we use appropriate procedures so that the data does not identify you and we contractually prohibit recipients of the data from re-identification.

 

3. Retention of personal data

We will retain PHI in accordance with HIPAA and other applicable law.

 

4. Access to personal data

We must use protected PHI in accordance with HIPAA, which includes applying certain administrative, technical and physical safeguards to ensure the privacy and security of PHI.

Deletion of your account with us will not automatically delete the PHI that was associated with your account. If you would like to request that we delete all PHI together with the deletion of your account, please contact us at legal@kariusdx.com. Our ability to comply with your deletion request is subject to any applicable legal, contractual or other requirement to maintain certain records of PHI. In that regard, please note that the deletion of PHI from our database will result in us not being able to provide you with the Karius Service.

 

5. Storage and security of personal data

We will maintain the security of PHI and protect it from misuse, interference and loss and against unauthorized collection, copying, access, modification or disclosure in accordance with HIPAA and our covered entity clients. Where you have chosen a password to access the App, you are responsible for keeping your password confidential. Do not share your password with anyone.

 

Due to the nature of the internet, we do not provide any guarantee or warranty regarding the security of any personal data during transmission to or storage by us and you acknowledge that the disclosure of personal data to us is at your own risk. Please contact us immediately if you become aware or have reason to believe there has been any unauthorized use of personal data in connection with the Karius Service.

 

The personal data you provide to us or that is disclosed to us by our covered entity clients may be transferred to and stored with a cloud service provider with servers that are located in various jurisdictions. Some of these jurisdictions may not have the same or substantially similar privacy laws than those of your home jurisdiction.

 

6. Risks Associated with Electronic Communications and the Storing of Your PHI Electronically

We understand the importance of protecting PHI and take our security obligations seriously. We take a number of steps to safeguard the privacy and security of PHI. However, any device or application connected to the Internet is susceptible to a security breach, despite the level of administrative, technical, and physical safeguards employed. This means that there is a risk that unauthorized persons may be able to access and read PHI. By using the Karius Services, you agree that you have read, understand, and accept this risk.

 

7. Cookie Policy

Some of the information that we collect will not personally identify you but will instead track your use of the Karius Service that we can better understand how the Karius Service is used by end users and in turn enhance and improve your experience in using the Karius Service. This information can be obtained through the use of cookies. Cookies are a small data file transferred to your device that recognizes and identifies your device and allows your device to ‘remember’ information from the Karius Service for future use. We may collect technical information from your web browser or mobile device or your use of our services through a web browser or mobile device, for example, location data and certain characteristics of, and performance data about your device, carrier/operating system including device and connection type and IP address. Unless you have elected to remain anonymous through your device and/or the web browser, the above mentioned information may be collected and used by us automatically through your use of the Karius Service or the App.

 

You have a number of options to control or limit how we and our partners use cookies and similar technologies, including for advertising.

  • Although most browsers and devices accept cookies by default, their settings usually allow you to clear or decline cookies. If you disable cookies, however, some of the features of the Karius Service may not function properly.
  • To prevent your data from being used by Google Analytics, you can install Google’s opt-out browser add-on by visiting https://tools.google.com/dlpage/gaoptout.
  • To opt out of ads on platforms that are targeted to your interests, based on your platform settings.
  • Check your mobile device for settings that control ads based on your interactions with the applications on your device. For example, on your iOS device, enable the “Limit Ad Tracking” setting, and on your Android device, enable the “Opt out of Ads Personalization” setting.

The Karius Service does not respond to Do Not Track signals because we do not track our users over time and across third-party websites to provide targeted advertising. However, we believe that you should have a choice regarding interest-based ads served by our partners, which is why we outline the options available to you above.

 

8. Changes to our Privacy Policy/Notice

Karius reserves the right to amend all or any part of this Notice. Any changes will be communicated to you through the Karius Service. Your continued use of the Karius Service with us after any such changes are communicated to you constitutes your agreement to this Notice as amended.

 

9. Other Applications

The Karius Service may have links to other apps or websites. We are not responsible for the security or privacy of any information collected by such apps or websites and, while we do not permit those apps or websites to track your use of the Karius Service, we are unable to control whether such tracking mechanisms are implemented by those apps or websites. You should exercise caution and review the privacy statements applicable to the third-party websites and services you use. The use of online tracking mechanisms by those third-party websites and services is subject to those third parties’’ own privacy policies, and not this Notice.

 

10. Effect of Notice

This Notice applies in conjunction with any other policies, notices, contractual clauses and consent statements that apply in relation to the collection, use and disclosure of your personal data by us.

 

11. Contact Us

All comments, queries and requests relating to our use of your personal data are welcomed and should be addressed to our Privacy Officer at legal@kariusdx.com. If you believe that your privacy rights have been violated, please contact us. We will not take action against you for filing a complaint. You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services at: https://ocrportal.hhs.gov/ocr/smarts creen/main.jsf.

 

This Notice is effective as of December 22, 2020.