2. Data – Definitions
Health Information. Health information is medical information that relates to patient health status and/or the delivery of healthcare. This information may be in machine-readable format, but oftentimes is not. It also may originate as “protected health information” under HIPAA, but sometimes is not. (For more information about protected health information and HIPAA, see How We Collect Health Information.) Health information can come from a variety of sources, including:
- Electronic health records
- Claims and billing activities
- Product, disease and vital statistics registries
- Patient-generated data, including in home-use settings
- Data gathered from other sources that can inform health status, like mobile devices.
- Medical records and data captured during clinical trials or investigational studies
Real World Data. xCures collects, creates and acquires “real world data”. Real world data (RWD) is a structured representation of the health information that we collect, and enables further analysis and machine learning. It also satisfies regulatory reporting standards, to support the development of real world evidence.
Real World Evidence. xCures collects, creates and acquires “real world evidence”. Real world evidence (RWE) is the clinical evidence regarding the usage and potential benefits or risks of a medical product derived from the analysis of RWD. RWE is generated by our analyses of real world data, including RWD that derives from health information and data collected from randomized clinical trials, large simple trials, pragmatic trials and observational studies, including studies with a sample size of N=1.
Patients or Research Participants. Health information and the RWD and RWE derived from health information pertains to individual patients with advanced disease, and resides in our systems. After patients enroll in a clinical trial or study through xCures, we sometimes refer to patients as research participants.
Individually Identifiable. Information or data that we collect, create, receive, use or share may be “individually identifiable”. Individually identifiable means that the information or data can be used to identify an individual.
De-Identified. Information or data that we collect, create, receive, use or share may be “de-identified”. At minimum, de-identified means that the information or data has been stripped of personal identifiers. Depending upon the particular conditions of a circumstance in which de-identified information or data is used or disclosed, we may apply additional measures to further safeguard privacy, prevent re-identification and comply with applicable laws or industry-recognized best practice clinical guidelines.
Pseudonymization. We create, use and apply pseudonyms as a way to de-identify information and data. Pseudonyms are unique identifiers that we substitute in place of individual identifiers in information and data of individual patients. Pseudonyms are generated and do not include any individually identifiable information. Pseudonyms are one measure we use to manage information and data, maintain data quality and integrity, and safeguard patient privacy.
Account and Usage Data. xCures creates and collects unique identifiers for individuals that create account credentials to use our services (“account holders”). Some of these identifiers can include identifiers from the devices, browsers and operating systems that account holders use when they access our services.
3. Our Business Purpose
Our aims are to help more patients with known or suspected cancer get access to potentially life-saving therapies, and to accelerate the drug research and development lifecycle. We accomplish these aims by helping patients and their treating physicians identify and select therapies based on evidence of potential benefit, which we are able to identify and display through our services. When these therapies are not covered by a patient’s insurance or otherwise accessible to the patient, we help patients access the therapy by other means. Typically, we do this by working with relevant sponsors to design a trial or study that we help run, and by partnering with non-profit foundations and other organizations that offer to subsidize or pay for ancillary treatment or other costs associated with running a trial or study.
In general, we collect the health information of research participants to create real world data. We generate reports containing real world data and real world evidence for their treating physicians, and maintain dashboards through our service for treating physicians that are also account holders. We also allow research participants and their treating physicians to direct us to share these reports with others involved in the patient’s care. These parties can include other physicians, friends, family members and health plans.
The informed consent process also allows xCures to continue collecting the health information of patients for the duration of their participation in a clinical trial or study, to use their health information internally to improve our treatment matching algorithms, and to commercialize de-identified derivatives of their health information.
xCures does not disclose individually identifiable health information or real world data with trial or study sponsors, and we implement measures that control and limit the disclosure of individually identifiable information or data with other third parties.
Our approach to generating real world data and real world evidence is unique because it invites patients to participate in efforts that accelerate innovation in the life sciences, in ways that benefit themselves but also other patients, now and in the future.
4. How We Collect Health Information
We only collect health information when we have a legal basis for doing so. Most of the time, we collect health information at the direction and with the consent of patients. Sometimes, we collect health information without patient consent. In these cases, our access, use and sharing of health information is determined and limited by our contractual and legal obligations as a HIPAA “business associate” or clinical research organization, described more fully below.
Background: HIPAA and Protected Health Information
Most of the health information we collect is considered “protected health information” under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and their implementing regulations (collectively, “HIPAA”). HIPAA is a federal medical privacy law that applies to covered health care providers, health plans and any entity that creates, receives, maintains or transmits protected health information on their behalf (“business associates”). It also gives patients the right to request their protected health information and the ability to designate a third party to request and receive their information on their behalf.
Collecting Data under the HIPAA Right of Access
If we collect health information at the direction of patients, we do so as the patient’s designated third party requester under the HIPAA “right of access”, consistent with a clinical trial or study protocol that has been approved by an institutional review board, ethics committee, or other entity empowered by local regulations to authorize the use of data for clinical research.
A differentiating characteristic of xCures’ data practices is its XCELSIOR research study protocol. This protocol is foundational to all clinical trials and studies available through our xACCESS platform. Under the XCELSIOR research study protocol, patients enrolling as research participants not only consent to the collection of their medical information and real world data to support clinical research, they also receive a clinical summary – called Cancer Journey – which is portable, personalized and persistent, and protected by the Patient Rights detailed below.
Collecting and Creating Data as a HIPAA Business Associate
When we collect health information without a patient’s consent, we may be doing so as a service provider or vendor of a HIPAA covered entity. In these situations, we are acting as the HIPAA covered entity’s “business associate”. As a HIPAA business associate, our rights to access, create and use health information are not dictated by a patient, but by the contractual arrangements between xCures and the HIPAA covered entity. In these situations, our data practices are governed by HIPAA and other applicable state medical privacy laws.
Collecting Health Information As a Clinical Research Organization
When we help administer a study or trial, we collect health information according to the protocols for the study or trial. These protocols are governed by an institutional review board, and our activities must adhere to widely recognized best practice guidelines and laws.
In addition, we may help design a study or trial protocol, and ask HIPAA covered entities for access to protected health information in their systems to inform the study design or identify patients as potential research participants. In these cases, we may sign a business associate agreement or other data use agreement to ensure our access is compliant with HIPAA.
5. Information We Collect When You Visit Our Website or Use Our Services
When you use the xCures website, we may collect technical and navigational information about your visit, such as computer browser type, Internet protocol address, pages visited, and average time spent on the site. This information will be used to improve our site design and functionality. We also may use a tracking technology, such as cookies (a small text file placed on your computer to identify your computer and browser) or web beacons (an electronic file placed on a web site that monitors usage) to improve the experience of our site (for example, prepopulating your information for ease of use). We also may from time to time share information about your website use with service providers who are assisting us in analyzing or operating the site; however, these service providers are contractually prohibited from using that information for other purposes. You may reset your web browser to refuse all cookies or indicate when a cookie is being sent – however, certain features of our site or services may not work if you delete or disable cookies.
Be advised: Third parties, like advertising networks, web analytics companies and social media and networking platforms, may collect information about your online activities over time and across multiple web and mobile platforms. Their use of tracking technologies when you access our online services may be used to predict or determine a likely association or relationship between two or more devices, or to help them serve you content on other websites and social media platforms. We are not responsible for third party tracking technologies used by these third parties, or for the targeted advertisements they may enable to be served to you on other platforms. We encourage you to check the privacy policies of these third parties to learn more about their privacy practices, and use internet and portable device technologies from third parties that you trust when you access and use our services.
6. How We Use Information and Data
Without limiting the foregoing, we use health information, real world data, real world evidence, account credentials, usage data and pseudonyms to:
- Deliver and manage account holder access to our online services
- Send communications to our account holders, and provide them with customer service and technical support
- Bill and collect payment for our services
- Carry out our contractual obligations
- Evaluate and improve our services
- Take appropriate action to maintain the security of our services, safeguard the privacy of individually identifiable information, and adhere to applicable laws, regulations and consensus-based standards associated with human subject research in clinical studies
- Take actions to enforce our agreements and policies
7. How We Disclose Information and Data to Others
We consider individually identifiable information and data that we receive to be confidential. We do not disclose individually identifiable information or data without a legal basis for doing so. Our business does not involve the sale of individually identifiable information or data, or use for marketing purposes. However, we do sell de-identified real world data and real world evidence when we have a legal basis for doing so. We will disclose individually identifiable information or data to patients, their treating physicians and others to support clinical or treatment purposes, consistent with HIPAA, or when patients otherwise direct us to do so.
Without limiting these use cases, we may disclose information or data as follows:
Third Party Service Providers
We share individually identifiable real world data and real world evidence with the treating physicians of patients enrolled through xCures in a clinic trial or study.
Other Physicians, Clinical Trial Teams and Third-Parties, As Directed by Patients
We share individually identifiable real world data and real world evidence with other physicians that have a patient-provider relationship with the patients enrolled through xCures in a clinical trial or study, members of the clinical trial teams involved in the study or trial in which a patient participates, and with any other third parties that a research participant designates. These third parties can include friends and family members involved in the research participant’s care.
Clinical Trial or Study Sponsors
We share de-identified real world data and real world evidence with the biotech companies, drug manufacturers, clinical laboratories and other entities that sponsor a patient’s participation in a clinical trial or study.
If directed by a research participant or treating physician, we share individually identifiable real world data and de-identified real world evidence with health plans. Typically, these disclosures are made to support a patient or treating physician’s request for coverage of an off-label use of a therapy under the patient’s health insurance plan. We may also sell de-identified real world data and real world evidence with health plans, to determine the effectiveness of treatment for a given population of patients, for example.
Nonprofit and Patient Advocacy Organizations
We share de-identified real world data and real world evidence with the organizations that pay or subsidize costs of a patient’s participation in a clinical trial or study, including ancillary costs. These organizations can include non-profit foundations, patient advocacy organizations and the managed access or patient support programs of biopharma companies. Ancillary costs can include family lodging, meal and travel costs, for example, when patients must visit a clinical trial or study site for a given therapy.
xCures’ Virtual Tumor Board
If a treating physician subscribes to xCures’ virtual tumor board services, we may disclose case summaries or other reports containing de-identified real world data to other tumor board participants.
Other Clinical Researchers and Investigators
We share de-identified real world data and real world evidence with a variety of other clinical researchers and investigators, to aid in their clinical research activities. These clinical researchers may be employed or compensated by universities, academic medical centers, biotechnology companies, drug manufacturers, next generation genomic sequencing laboratories and other similar enterprises.
We may publish or permit the publication of de-identified real world data or real world evidence when it supports the dissemination of generalized scientific knowledge.
Law Enforcement and Regulatory Authorities
We resist disclosing individually identifiable information or data to law enforcement or regulatory authorities unless we determine we must do so under law to comply with a valid court order, subpoena, or search warrant. We closely scrutinize all law enforcement and regulatory requests. If we determine that we must comply with a valid law enforcement or regulatory request, we first determine if we can comply after receiving the explicit authorization to make the disclosure. Otherwise, we attempt to comply by limiting disclosure to de-identified information or data, or by redacting information so that only the minimum necessary individually identifiable information or data is disclosed. We also attempt to receive adequate assurances from the requesting law enforcement or government agency that it will protect the Individually Identifiable information or data to the highest degree possible, and will not disclose it in violation of applicable federal or state confidentiality laws. While we cannot offer assurance that these efforts will be successful, we will maintain a detailed record of all disclosures we make in response to law enforcement and regulatory requests. Also, if permitted by applicable law, we will notify you of the disclosure by certified mail to any home address that you have disclosed in your account profile.
If xCures is a party to a legal proceeding with an account holder or research participant, we may disclose individually identifiable information or data to the court or arbitrator for purposes of resolving a civil dispute. If xCures is not a party to a legal proceeding, we may be required by law to disclose this individually identifiable information or data pursuant to a valid subpoena, discovery request or other lawful process. Even if additional protections are not required by applicable laws, we use our reasonable best efforts to obtain your authorization or seek a qualified protective order to protect individually identifiable information or data before disclosing it in a civil proceeding. We also use reasonable best efforts to limit disclosures of individually identifiable information or data to the minimum necessary to accomplish their intended purpose.
8. How We Secure Personal Data
We implement industry-leading safeguards to protect our information systems and the information and data in our control from unauthorized access, disclosure, use, modification and loss. Information security measures include: secure storage, encryption of digital records in transit and at rest, periodic log reviews, and system backups.
When selecting appropriate measures for de-identification, we follow a risk-adjusted approach, because the risk of identification for one particular data set in the context of a specific environment may not be appropriate for the same data set in a different environment, or a different data set in the same environment.
If we believe that the security of the individually identifiable information or data of a patient or account holder may have been compromised, we will notify the impacted parties about the breach using the email provided in their respective account profile. The notification will include the following information:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
- A description of the types of unsecured Individually Identifiable information or data that were involved in the breach;
- Steps individuals should take to protect themselves from potential harm resulting from the breach;
- A brief description of what the entity that suffered the breach is doing to investigate the breach, to mitigate harm, and to protect against any further breaches; and
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, Web site, or postal address.
At any time, research participants and account holders can notify us by contacting firstname.lastname@example.org if they prefer to be notified by first class mail, or want to request a print copy, at no charge, of any electronic notice that we may have sent about the incident.
9. How Long We Retain Information
In general, we retain de-identified information or data in perpetuity. We retain individually identifiable information and data for as long as needed to maintain our information systems and comply with applicable laws. If required by law to delete individually identifiable information or data, we delete that information by following internal policies that align to these laws.
10. Patient Rights
Research participants can exercise any of the following rights:
Request a copy of their Cancer Journey. The Cancer Journey is a report populated with the research participant’s individually identifiable real world data, including extracts from the research participant’s health information.
Request that information in their Cancer Journey be amended, corrected or deleted. If a research participant believes any of the information in their case summary is not accurate, timely, complete, relevant or necessary, please let us know that you would like the Cancer Journey to be amended, corrected or deleted. A member of our team will review the request and consult with the treating physician or study investigator to determine if the case summary needs to be amended, corrected or deleted, and promptly take appropriate action.
Restrict access to copies of their Cancer Journey. A research participant can also direct xCures not to share a Cancer Journey with a third party, or to stop sharing Cancer Journey updates with a third party.
Request an accounting of disclosures to third parties. A research participant can request an accounting of Cancer Journey it makes at their direction or the direction of their treating physicians. Patients cannot request an accounting of de-identified information or data.
To exercise any of these rights, contact xCures Support Team at email@example.com. We acknowledge emails within one business day. Requests are subject to individual verification procedures. After verifying the request, a member of our team will review your materials, and make a determination as to whether the request can be fulfilled. Please allow up to ten (10) business days after verifying identification for us to make this determination. We will inform you in writing if we need more time, if the request will be granted or the reasons for denial.
12. Personal Representatives
xCures may allow individuals that are recognized as a patient’s “personal representative’ or “legal guardian” under applicable state law to give consent for the patient to become a research participant. xCures recognizes parents of children under the age of majority in the state where they live, or the holder of a medical power of attorney as personal representatives, absent actual knowledge to the contrary. xCures reserves the right to verify the identity and authority of individuals holding themselves out as the personal representative or legal guardian of a Patient.
We do not knowingly market to or solicit information or data from children under the age of 13. A parent or personal representative of a patient under the applicable legal age of consent must give consent for the patient to become a research participant. If we obtain actual knowledge that we have collected individually identifiable health information about minor under the applicable legal age of consent without their legal representative’s consent, we will use reasonable efforts to refrain from further using such individually identifiable health information, take steps to disable further use or access of it in a retrievable form, and delete real world data and real world evidence that derives from that information.
14. Supplemental Privacy Notices
15. International Data Transfers
If you are located in the United States—
We do not knowingly transfer any health information outside of the United States unless that transfer is subject to an agreement for safeguarding the health information, consistent with applicable medical privacy laws in the United States, including HIPAA.
We do not knowingly transfer any individually identifiable real world data or real world evidence outside of the United States, except at the direction of a research participant, a treating physician or in accordance with a clinical trial or study protocol that has been approved by a institutional review board, ethics committee, or other entity empowered by local regulations to authorize the use of data for healthcare research.
We may transfer de-identified real world data or real world data outside the United States as long as the transfer complies with applicable data protection laws.
16. Jurisdiction-Specific Provisions
The laws of the United States governing data collection and use may differ from the applicable laws where you are located, and that you will be transferring data to the United States for storage and processing. By visiting our website, using our services or providing your personal data, you consent to such transfer, storage and processing.
16 A. European Economic Area (EEA)
That said, if you are an account holder or research participant, and also reside in the EEA, the data protections specified by the EEA’s General Data Protection Regulation (GDPR) may be applicable to you. In consequence, the following disclosures explain our legal basis for collecting and using your individually identifiable information or data, and the rights guaranteed to you as an EEA resident with respect to that information and data. For this purpose, we are a “data controller”.
Be advised: While the GDPR represents a minimum set of data protection standards that the individual nations within the European Economic Area are required to implement, the actual laws of the nation of the EEA where you reside may confer additional rights to you, which are not included in the following disclosures.
xCures does not self-certify under the E.U.-U.S. Privacy Shield or the Swiss-U.S. Privacy Shield to comply with data protection requirements when transferring Personal Data from the European Economic Area (EEA) to the United States.
Legal Basis for Processing
Our legal basis for collecting and using your individually identifiable information or data depends on the nature of the personal information concerned and the specific context in which we collect it. We always seek your explicit consent before collecting and using your individually identifiable health information or data, unless we are otherwise authorized or directed to do so as a “business associate” to a HIPAA covered entity, or participating on a clinical study team with respect to a study or trial that has been approved by an institutional review board, ethics committee, or other entity empowered by local regulations to authorize the use of data for healthcare research. In some cases, we also may have an independent legal basis for collecting and using some or all of your health data; for example, if you direct a third party to share your individually identifiable health information with xCures.
We collect and process health information and real world data for the purposes listed in Our Business Purpose. These purposes are subject to overriding individual rights guaranteed under the GDPR, listed below. If we are unable to deliver services and simultaneously help you exercise these rights to the fullest extent, we will let you know the reasons why. At that point, you can decide either to close your xAccess account (if you are an account holder), or withdraw your consent as a research participant in a study or trial accessed through xCures.
In some cases, we may also have a legal obligation to collect individually identifiable information from you or may otherwise need this information to protect your vital interests or those of another person. An example is if we need to verify your identity or authority to access individually identifiable information or data to fulfill a data request.
If we ask you to provide individually identifiable information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of that information is mandatory or not (as well as of the possible consequences if you do not provide it).
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us by email to firstname.lastname@example.org subject line: GDPR Privacy.
Individual Rights of EEA Users
Correction. You can request corrections in inaccurate/incomplete information in your Cancer Journey. In some cases, you may need to request these corrections from the source of the health information. For more information, see Request that information in their Cancer Journey be amended, corrected or deleted under Patient Rights.
Object to, Limit, or Restrict Use of Data. You can ask us to stop using all or some of your individually identifiable information or data, or to limit some or all of our uses of it. If you wish to limit or restrict use of this information or data, some or all of the services – including therapies through clinical trials or studies – may not be available to you or your patients. If that is the case, your remaining option is to discontinue using our services.
Deletion. In certain circumstances, you can request a right “to be forgotten” (this is a right to have your information deleted or our use of your data restricted). We will honor these requests unless we have to retain this information to comply with a legal obligation or unless we have an overriding interest to retain it. For more information, see Request that health information that be deleted under Patient Rights.
Portability. As a research participant, you can exercise the right of data portability (this is a right to obtain a transferable version of your Cancer Journey to transfer to another provider). For more information, see Request a copy of their Cancer Journey under Patient Rights.
16 B. California
California Privacy Act Notice – Use of Information for Marketing. Under California Civil Code Sections 1798.83-1798.83, California residents are entitled to ask us, once per year, for a notice identifying the categories of information which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for these affiliates and/or third parties. Requests will apply to information provided during the previous calendar year (for example, if your request information in 2021, you will receive information regarding 2020).
xCures does not currently have any Affiliates and does not use individually identifiable information or data for marketing purposes.
California Consumer Privacy Act of 2018 and California Consumer Privacy and Enforcement Act of 2020
Right To Know. California residents can request a disclosure in machine-readable format of the categories and specific pieces of individually identifiable information that we have collected about you and your household during the 12 months preceding our receipt of a verifiable consumer request (limit two times per 12-month period). You can also ask where this information came from, and what we use it for.
xCures does not sell any individually identifiable information or data, or use it for marketing purposes. For more information, see How We Disclose Information and Data to Others.
Right to An Accounting of Disclosures, When Individually Identifiable Data Is Sold. California residents have the right to receive an additional accounting of disclosures made by businesses subject to the CCPA that sell the personal information of California residents.
Disclosures about Incentives and Differential Terms. Businesses subject to the CCPA must notify California residents when they offer financial incentives – or vary their service terms – in exchange for selling their personal information.
xCures does not offer financial incentives or vary our service terms as a way to induce you or other users to permit us to sell your individually identifiable information. Deletion Rights. Businesses subject to the CCPA must honor requests that enable California residents to request that their personal information be deleted. For more information, see Request that health information be deleted under Patient Rights.
17. Prior Versions; Summary of Changes