Night Shift Privacy Notice
Advanced Brain Monitoring, Inc. (ABM) is a neuro-diagnostics device company internationally recognized for its innovative technologies. Our products are used by individuals, clinicians, researchers, and in clinical trials to interpret brain and physiological function as they relate to chronic diseases and early stage neurodegeneration, as well as to improve sleep quality and enhance performance. ABM is an ISO 13485 and FDA device manufacturer. We have a global distribution network established in the EU, Asia, and Australia. ABM is based in Carlsbad, CA with a European office in Belgrade, Serbia.
PRIVACY COMMITMENT STATEMENT
ABM is committed to protecting your privacy and developing technology that gives you the most powerful and safe online experience. Consistent with this commitment, ABM maintains compliance with several regulatory programs. We are dedicated to ensuring compliance with all of our products and services, as well as the underlying processing of personal data on behalf of our customers.
- Health Insurance Portability and Availability Act of 1996 (HIPAA)
- Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
- The European Union (EU) General Data Protection Regulation (GDPR)
- EU-US and Swiss-US Privacy Shield Frameworks (Privacy Shield)
ABM is HIPAA compliant. HIPAA establishes standards for the security of electronic protected health information. We perform periodic technical and non-technical evaluations that establish the extent to which our security policies and procedures meet the HIPAA security requirements. The U.S. Department of Health and Human Services (HSS) does not currently offer HIPAA certification. Please visit the HHS website to learn more about HIPAA.
ABM is HITECH compliant. HITECH promotes the adoption and meaningful use of health information technology, as well as privacy and security concerns associated with the electronic transmission of health information. HHS does not currently offer HITECH certification. Please visit the HSS website to learn more about HITECH.
ABM maintains Privacy Shield certifications for the EU-US and Swiss-US Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU and Switzerland to the U.S., respectively. Please visit the Privacy Shield Framework website to view our certification and learn more about Privacy Shield.
Compliance with GDPR, which is effective as of May 25, 2018, is an active process and will continue up to and after the enforcement date. The GDPR provides a set of standardized data protection laws across all EU member countries, and is applicable to any organization collecting information from an individual residing in the EU regardless of where the organization is located. The European Commission does not currently offer GDPR certification. Please visit the European Commission website to learn more about GDPR.
Individuals have personal data rights that include the following:
- Be informed if personal data is being used
- Get copies of personal data
- Get personal data corrected
- Get personal data deleted
- Limit how organizations use personal data
- Portability of personal data
- Object to the use of your data
- Decisions being made about an individual without human involvement
- Access information from a public body
- Raise a concern
NIGHT SHIFT PORTAL PRIVACY INFORMATION
The Night Shift website contains several areas where information is obtained. The following provides detailed information regarding what type of data is collected, how we use the information, and with whom we share the information.
1. Night Shift Portal
The Night Shift software, which is accessed by the Night Shift Portal (NS Portal), produces graphical reports of previously recorded physiological signals obtained during sleep with ABM’s proprietary Night Shift medical device. The software is fully compliant with regulatory guidelines (e.g., HIPAA, 21 CFR Part 11, etc.).
When an individual utilizes the NS Portal, information is shared with ABM. There are two categories of information that ABM collects:
- Information the user provides to utilize services
- Information we obtain to perform services
The following provides detailed information regarding what type of data is collected and how it is used.
Information the user provides
Registration of a Night Shift device is not required to use the NS Portal. However, if a user chooses to register a device we will have the ability to notify him/her of important improvements that could benefit the use of a device (e.g., firmware upgrades or NS Portal enhancements).
In order to register a device on the NS Portal the user must disclose:
- Device serial number
- Email address
Registering a “Customer Name” is optional. To keep health information anonymous to ABM, we recommend that a name is not entered.
Personal data that an individual chooses to provide ABM when registering a device is only used to provide technical assistance or communicating product improvements.
The generation of reports is not required to use a device; however, it is the primary purpose for using the NS Portal. No personal data is required to generate a report, but when a report is generated, the Customer Name, if provided, will appear on the report. As an alternative, if no Customer Name is registered but you wish to personalize a report, a “User Name” may be entered at the time the report is generated and the User Name will appear on the report.
The report, which may include personal data should it have been provided, is saved to the NS Portal database as an unreadable byte array field. The NS Portal database is used to provide technical assistance should any problems with a device or generating a report be encountered.
- Device Registration
Information we obtain
When our services are utilized via the NS Portal, we obtain raw data from an ABM proprietary device via an “.acq” file. The information obtained is used for the sole purpose of generating a report for personal use. The information obtained is identified by the device serial number, which can only be linked to personal data if a device was registered.
The information ABM gathers from a device includes:
The Night Shift device has been designed to obtain and store various categories of information. The following types of information is obtained by the device:
- Use (e.g., how many nights the device was used)
- Sleep (e.g., how many hours a user was asleep)
- Awake (e.g., how many hours a user was awake)
- Position (e.g., how much time a user slept on his/her back and how quickly he/she responded to the position avoidance feedback)
- Snoring (e.g., did the user snore, and if so, how loudly)
Some of the information recorded on a device is in very small increments (e.g., milliseconds and seconds). The NS Portal simply converts the data obtained by a device into usable increments and presents the information in graphic format as a report.
The information that resides on a device is stored in an .acq file. Each time ABM’s NS Portal services are used, we save a copy of the .acq file to the NS Portal database as an unreadable byte array field. The NS Portal database is used to provide technical assistance should any problems with a device or generation of a report be encountered.
ABM may automatically collect certain information and store it in log files when our services are utilized, including internet protocol (IP) addresses, referring/exit pages, operating system, browser type, date/time stamp, and clickstream data. We use non-personal information to administer services and analyze trends for service enhancements. We use personal information to provide technical assistance should any problems with a device or generating a report be encountered, and to help protect ourselves from abusive users of our services.
- Usage information
We use the information that users provide and we obtain to ensure that the NS Portal is providing value to our customers. Here are some of the ways that we do that:
- Provide technical assistance should any problems with a device, registering or managing a device, or generating a report be encountered
- Validate warranty coverage
- Communicate with customers, via email, regarding important improvements and enhancements to our devices and services
- Monitor types and trends of issues that are experienced when using the NS Portal for use in developing product and service enhancements
- Analyze usage and trends to publish de-identified findings for product marketing purposes and scientific journals
- Verify your identity and prevent fraud or other unauthorized or illegal activity.
We do not sell, distribute, or lease personal information to third parties, ever. However, we may transfer a report or raw data via .acq file to a third party for the following reason(s):
With your permission, we may share your .acq file or report with a healthcare provider in order to qualify your device for insurance reimbursement, or so that your health care provider can monitor therapy compliance.
When devices are sold through a distributor, we may share an .acq file with the distributor in order to provide technical assistance should any problems with a device, registering or managing a device, or generating a report be encountered.
2. Electronic Prescription (eRx)
Night Shift devices are only available by prescription in the U.S. For the convenience of our U.S. customers, health care providers may register a provider account in order to generate an eRx, which allows patients to purchase a Night Shift device directly via the ABM web store. To generate an eRX, Providers are required to enter into a Business Associate Agreement (BAA) in recognition of obligations required under HIPAA and HITECH. All information obtained from the provider, including patient prescription information, is stored in ABM’s secure database. We use the information to verify that a customer has a prescription for purchasing a device and refer to prescriptions should a customer desire to purchase an additional device in the future. The eRx services, which are compliant with U.S. rules and regulations, is only available to U.S. customers.
3. Web store
4. Contact Page
A user may submit personal information via one of three contact pages:
- Sales/product inquiries
- Technical support
- Privacy request
To submit a request, the user is required to provide the following information:
- Type of request (technical support and privacy request only)
- Email address
- Country (technical support only)
- Message (sales/product inquiries only)
We use the information that a user provides to respond to a request for assistance.
- Sales/product request
- Technical support
- Privacy request
All information included on a sales/product inquiry request is maintained by Zoho, AMB’s third party customer relationship management (CRM) provider. Zoho initiates an email to ABM’s business development group, who reaches out to the individual requesting information. Once patient requests have been satisfied, personal data is deleted from Zoho. Business contacts are saved in Zoho for further business development.
All information included in a technical support inquiry request is forwarded via firstname.lastname@example.org to ABM’s Night Shift’s customer support group, who reaches out to the individual requesting assistance. The information is logged in a technical call spreadsheet to assist with customer follow-up and providing technical assistance should any problems with a device, registering or managing a device, or generating a report be encountered.
All information included on a privacy contact request is forwarded via email@example.com to ABM’s IT privacy team, who reaches out to the individual requesting assistance. The information is logged in a privacy request spreadsheet.
We do not sell, distribute, or lease personal information to third parties, ever.
5. Access logs
ABM may automatically collect certain information and store it in log files when our services are utilized, including internet protocol (IP) addresses and a date/time stamp. This information is recorded in the database to administer services, analyze trends for service enhancements, and help protect ourselves from abusive users of our services.
THIRD PARTY LINKS AND FEATURES
ABM is committed to ensuring that personal information is secure. We have physical, electronic, and procedural safeguards that comply with regulations to protect personal information. ABM uses industry-standard encryption technology to protect privacy. We limit access of personal information to employees who we believe reasonably need to come into contact with such information to provide products or services in order to do their jobs.
For site security purposes and to ensure that this service remains available to all users, we use software programs to monitor traffic to identify unauthorized attempts to upload or change information or otherwise cause damage. In the event of law enforcement investigations and as part of any required legal process, information from these sources may be used to help identify an individual.
ABM does not sell, distribute, or lease personal information to third parties, ever.
ABM will disclose your personal information, without notice, if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on ABM or the site; (b) protect and define the rights or property of ABM; and (c) act under exigent circumstances to protect the personal safety of ABM website users, or the public.
RETENTION AND STORAGE
ABM retains personal information for no longer than necessary for the purpose for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it.
All information is stored on secured servers owned and operated by ABM. We use third party vendors to support our services, which includes an IT Security Consultant. We store backups off site with third party storage provider to ensure data security in case of an emergency or catastrophe. All IT services are governed by a written contract.
If ABM is acquired by or merges with another entity, our assets, including all proprietary intellectual property and information embedded in our services and any personal information stored in our databases, will likely be transferred to the new entity. By utilizing our services you acknowledge and agree that ABM may assign assets and any information stored therein in the event of such a transaction.
Please note: ABM does not have the right to copy, correct, delete, limit, or transmit any personal data without first obtaining identity verification. Should you submit a data request via the Privacy Contact page, an ABM representative will contact you to begin the process of identity verification before any action can be taken.