Consumer Health Data Privacy Policy
Effective 30 June, 2024
Depending on your state of residence, you may have certain rights in relation to your consumer health data that has been collected by Outset Medical Inc. and its affiliated companies (“Outset” or “us”). Consumer health data is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status”. This includes (but is not limited to) the following examples: information about your health conditions, treatment, diseases, or diagnosis; social, psychological, behavioral, and medical interventions; health-related surgeries or procedures; use or purchase of prescribed medication; bodily functions, vital signs, symptoms, or measurements of your body; diagnoses or diagnostic testing, treatment, or medication; gender-affirming care information; reproductive or sexual health information including reproductive health care; biometric data; genetic data; precise location information that could reasonably indicate your attempt to acquire or receive health services or supplies; and data that identifies you when seeking health care services.
This Consumer Health Data Privacy Policy (“Policy”) does not apply to information that we collect from you that is:
- Subject to the Health Insurance Portability and Accountability Act (HIPAA), which includes personal health information (PHI) collected by your healthcare provider for the purpose of treatment or diagnosis, payment for healthcare services, and certain healthcare operations;
- Intermingled with PHI that is subject to HIPAA and maintained by a healthcare provider or facility, a business associate of a healthcare provider, a healthcare plan, or a licensed substance abuse facility;
- Collected pursuant to a clinical trial;
- Being used only for public health activities and purposes;
- Covered under certain other exceptions under the applicable consumer health data law such as data subject to the Fair Credit Reporting Act, the Washington Health Benefit Exchange, or privacy rules adopted by the office of the insurance commissioner of the state of Washington; or
- Information that has been deidentified (cannot be linked back to you).
We may deidentify or collect deidentified data for these purposes described in this Policy. When collecting deidentified data, we will only process such data in a deidentified fashion and will not make any attempts to reidentify such data.
We do not knowingly collect, process, share, or sell the personal information of minors under the age of 16.
Categories of Consumer Health Data We Collect
We collect the following categories of consumer health data:
- Personal information: Address and contact information, site assessment/installation information.
- Internet or electronic activity information: Tablo unit software information, Tablo unit serial number, ID number and IP address.
- Information about dialysis usage: Whether you or a loved one receive dialysis, and if so, the specific type of dialysis received (hemodialysis vs. peritoneal dialysis) and where the dialysis is conducted (home, clinic, or hospital).
- Audio or visual information: Customer-service calls and communications regarding maintenance.
- Inferences drawn from any personal information we collect, which inferences constitute consumer health data
Purposes for Collection and Uses of Consumer Health Data
We collect the categories of Consumer Health Data identified for the following purposes and use cases:
Categories of Consumer Health Data | Purposes for Collection |
---|---|
Personal information: Address and contact information, site assessment/installation information.
Internet or electronic activity information: Tablo unit software information, Tablo unit serial number/ID number and IP address. Information about dialysis usage: whether you or a loved one receive dialysis, and if so, the specific type of dialysis received (hemodialysis vs. peritoneal dialysis) and where the dialysis is conducted (home, clinic, or hospital). Audio or visual information: customer-service calls and communications regarding maintenance. Inferences drawn from any personal information we collect, which inferences constitute consumer health data. |
To provide you with the information you request and our services; to contact you from time to time; to provide you with information about our business; for customer support. |
Internet or electronic activity information Inferences drawn from any personal information we collect, which inferences constitute consumer health data. | To deliver advertisements and marketing promotions and offers about products or services we think may be of interest to you; and to analyze the placement and effectiveness of our advertisements and other marketing efforts. |
Internet or electronic activity information: Tablo unit software information, Tablo unit serial number/ID number and IP address. | To monitor or improve our Sites and for internal business analysis. |
Categories of Sources From Which We Collect Consumer Health Data
We collect consumer health data directly from our customers or their caregivers, website users, and representatives of entities with which we do business or may do business.
Disclosure of Consumer Health Data to Third Parties
Service providers may process data on our behalf to provide products or services in a manner consistent with the purpose for which consumer health data was collected and disclosed. This includes our third parties that provide processor services to us from time to time. The following chart describes the categories of consumer health we share with third parties:
Categories of Consumer Health Data | Categories of Third Parties to Which We Share Consumer Health Data |
---|---|
Personal information: Address and contact information, site assessment/installation information. Internet or electronic activity information: Tablo unit software information, Tablo unit serial number/ID number and IP address. |
Service providers that manage customer information and provide customer service, provide security services and cloud-based data storage, host our website and assist with other IT-related functions, advertise and market our products, provide analytics information, and provide accounting services |
Inferences drawn from any personal information we collect, which inferences constitute consumer health data. | To monitor or improve our Sites and for internal business analysis related to sales and marketing.
To perform business analytics to improve our products and services. |
Business Purposes for Such Disclosures
We disclosed consumer health data to the categories of third parties identified above for the following purposes: to manage customer, supplier and vendor accounts and relationships; fulfill orders and transactions; engage in advertising and marketing; operate our IT systems and secure our systems; prevent fraud and other illegal activities; and to obtain professional advice about legal and accounting matters.
Additional Information About How We May Disclose Consumer Health Data and Purposes for Disclosures
We may also disclose your consumer health data as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property or safety of others, including to law enforcement agencies, and judicial and regulatory authorities. And we may disclose or transfer your consumer health data to a third party in the event of an actual or potential sale, merger, reorganization of our business, a part of our business or other restructuring or corporate transaction. We do not sell consumer health data for monetary or other valuable consideration.
Your Right to Confirm and Access the Consumer Health Data We Collect About You.
We are committed to ensuring that you know what consumer health data we collect. You can ask us for information about any or all of the following types of consumer health data that we have collected about you on or after June 30, 2024:
- Categories of consumer health data about you that we have collected, including information that is derived or extrapolated from non-health information (such as derivative, inferred or emergent data from any means, including AI and machine learning);
- The identity of sources from which such consumer health data was collected;
- Categories of consumer health data that the business sold, shared, or disclosed about you;
- The identity of third parties to whom your consumer health data was sold or shared, and a method of contacting those third parties; and
- The purpose for collecting, sharing, or selling your consumer health data.
You also may request to access such data, including a list of all third parties and affiliates with whom we have shared or sold such data and an active email address or other online mechanism that you may use to contact these third parties. As noted above, we do not sell consumer health data.
Your Right to Request Deletion of Your Consumer Health Data.
You have the right to have your consumer health data deleted. Upon your request, we will delete all consumer health data that we have collected about you (subject to certain legal exceptions). If you request that we delete your consumer health data, we will within 30 days of verifying your request: (1) delete your consumer health data from our records, including from all parts of our network such as archives or backup files; and (2) notify all affiliates, processors, contractors, and other third parties with whom we have shared consumer health data of your deletion request. Please note that the deletion of your consumer health data from archives or backup systems may take up to six months to complete.
We do not share consumer health data from users of the TabloHub and associated digital services, including MyTablo™ and connected devices including the Tablo® hemodialysis system for home dialysis (collectively “Tablo Portal”) except as strictly necessary to provide the services requested by you. We may communicate with your healthcare provider, your care partner or legal representative, or with vendors who provide services or supplies to you for installation or use of the system. We may communicate with other third parties if you direct us to do so and with your consent.
Your Consent Options With Regard to Sharing Your Consumer Health Data
We will not collect your consumer health data unless it is necessary to provide a product or service that you have requested from us or we have your consent for such collection for a specified purpose. For example, if you request more information about our products or services, we may ask you to provide information about your current healthcare experience in order to better address your request or to provide you with the most relevant information for your specific location or situation, based on the information that you have provided to us. If you consent, we may contact you for the purposes of advertising our products or services that may be of interest to you, however, you may withdraw your consent at any time and/or unsubscribe from further contact.
We will not share your consumer health data unless we have your consent for such sharing and your consent has been provided in a way that is separate and distinct from the consent obtained to collect your consumer health data; or to the extent necessary to provide a product or service that you have requested from us.
You have the right to withdraw consent from our collection and sharing of your consumer health data subject to certain specific exceptions. If you withdraw consent to our collection of your consumer health data from the Tablo Portal, you may not be able to use all features of the Tablo Portal.
How to Contact us to Obtain Information or to Exercise Your Rights
You can direct us not to collect, share, or sell your personal information by submitting a request through our Data Request Form, or by contacting us at [email protected]. We will act on your request within the timeframes set forth below.
Exercising Your Rights and How We Will Respond
To exercise any of the rights above, or to ask a question, contact us [email protected], complete and submit our Data Request Form.
We will respond to your request without undue delay, but in any case within 30 days of receiving it. If your request is complex or excessive, we may take an additional 30 days to complete it. In that case, we will notify you of the extension and the reason for the extension.
Information provided in response to your request will be provided free of charge, up to twice annually per consumer. However, if your requests are manifestly unfounded, excessive, or repetitive, we may charge you a reasonable fee to cover the administrative costs of complying with the request, or decline to act on the request.
Identity Verification
We are required to verify the identity of the individual submitting a request to access or delete personal information before providing a substantive response to the request. Where possible, we will attempt to verify your identity by asking you to confirm information that we have on file about you or your interactions with us. Where we must ask for additional personal information to verify your identity, we will only use it to verify your identity or your authority to make the request on behalf of another consumer. You do not need to create an account with us to exercise your rights. If you fail to verify your identity, we cannot fulfill your request. We will notify you to explain the basis of the denial.
Authorized Agents
You can designate an “authorized agent” to submit verifiable consumer requests on your behalf. The agent can be a natural person or a business entity.
If you would like to designate an agent to act on your behalf, you and the agent will need to comply with our verification process. Specifically, the agent will need to provide us with your signed permission indicating the agent has been authorized to submit the request on your behalf. We will also require that you verify your identity directly with us or confirm with us that you provided the agent with permission to submit the request.
Our Commitment to Honoring Your Rights
If you exercise any of the rights explained in this Policy, we will continue to treat you fairly and not discriminate against you.
You have the right to appeal any decision to restrict or not comply with your request by notifying us in writing at any of the contact details provided in this Policy of your intent to do so. Within 45 days of receipt of an appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, we will provide you with an online mechanism, if available, or other method through which you may contact the Washington attorney general at https://www.atg.wa.gov/file-complaint to submit a complaint.