Privacy Policy

 

This privacy policy explains how we use your data to deliver our healthcare applications and services. We explain what information we collect when you visit our website or use our products, why we need certain information from you, what we do with it, and how we keep it secure.

Who we are

patientMpower designs and develops services and applications for patients with chronic diseases, such as lung disease, kidney disease and cardiovascular disease. We empower users to manage their health at home and improve their health outcomes. Patient’s health data can be seen immediately by their care team in a secure patient data portal. Healthcare staff can then make informed decisions about the ongoing care needs of patients being monitored.

We are a company incorporated in Ireland under registration number 563516.

You can contact us at our main business address: patientMpower, 10/13 Thomas Street, The Digital Hub, Dublin 8, D08 PX8H, Ireland, or via www.patientmpower.com.

Our Data Protection Officer can be contacted via dataprotection@patientmpower.com, or by post at the address above. Our Data Protection Officer is Oisin Hayes.

Our values

We believe that making data more easily available to patients will improve healthcare, but we are also aware that data needs to be handled securely and transparently. We believe you should own your own data and should have the choice about who has access to your data or who you consent to view the data. patientMpower respects your right to data protection and to privacy. This Data Protection Notice explains how we collect, transfer, store, and use your data.

Updates and changes to this privacy policy

As part of our ethos of continuous improvement, this Data Protection Notice and any associated policies or procedures may be changed in the future. If we make changes we will provide notice of any proposed changes at least thirty (30) days before they come into effect. You are free to stop using our apps and services at any time but we would recommend that any decision be taken in consultation with your healthcare provider.

What we do

patientMpower provides smartphone applications and associated equipment and clinical patient management and reporting portals that enable clinicians to provide appropriate care through telemedicine and allow patients to manage and monitor their condition themselves without losing the necessary contact with and support of their healthcare providers.

We use your health and medical information to provide you with a healthcare service in the form of a diary for personal use or sharing your data with your healthcare provider for remote monitoring. We only capture data that is relevant for providing better delivery of care, improving our apps and services, and assessing remote patient monitoring.

patientMpower acts as a Data Processor on behalf of healthcare providers in the provision of our services and applications.

We act as a Data Controller for data logged by you in a personal health diary if you are using our services or applications in that way.

If you have consented to allowing your data to be included in research studies, we act as a Data Controller for that data for the purposes of creating anonymised data sets to be used in research.

We also act as a Data Controller in the context of processing of data for the purposes of product and service improvement and product research and development. However, data used for these purposes is de-identified and anonymised other than in exceptional circumstances.

How we obtain your data

When you use our services and apps, we collect information about your health. This information can be manually entered by you or be collected automatically from your smartphone and/or connected health device. Other health information may come from third parties, such as your healthcare provider or other health partners.

If you choose to use a Google account or other social media account to complete the sign-up process for one of our applications, we are authorised to collect, store, and use any information that you have agreed to let these sites or services share with us. This may include your name, email address, profile picture, or other details.

When you use our services or apps, you may have the option to link other third-party services with your account. Examples of these services may include Apple Health, Fitbit, etc. If you choose to do this, you are authorising patientMpower to collect, store, and use information that you agreed these sites may share with us through their API.

Please note that using third party services to facilitate login or to capture or provide data to the patientMpower application can identify to those services that you are a user of a telemedicine application. You should check the data protection or privacy terms of the service you are using to find out what that data may be used for by that third party service.

Summary:

We obtain your personal data in one or more of the following ways:

  • You directly provide it to us by manually inputting it into the app (example: your name, survey responses, health result data, demographic data, information on health condition, medications, support requests or correspondence)
  • You authorise a third party to provide it to us (example: your healthcare provider sends medical results to you via the patientMpower application, you register using your social media account, or you connect to other apps or services such as Apple Health Kit)
  • We automatically record it from your device, depending on the enabled features (example: data collected on smartphone or via a connected sensor, step counts from accelerometers, location information)

What data we hold

The specific types of personal data we process about you may vary depending on the specific patientMpower app you are using or the specifics of the treatment regime being applied. Examples or descriptions of categories of data provided here are not exhaustive and are for information purposes. Supplemental information will be provided to users for specific application contexts where necessary.

CategoryExample/DescriptionSource
Identity Information
  • First Name
  • Last Name
  • Email address
Directly Provided
Demographic Information
  • Gender
  • Ethnicity (required for calculations for spirometry volumes, kidney function, and other similar purposes).
  • Date of Birth(where relevant / necessary)
Directly Provided
Health Result Data
  • Blood pressure
  • Weight
  • Medication Usage
  • Test results
  • Height 
  • Heart rate
Directly Provided [may be obtained from third party apps]
  • Blood Pressure Readings
  • Spirometry readings
  • Pulse oximetry readings
Automatically recorded or Directly Provided
Health Condition & Symptom Data
  • Symptom logging
  • Photographs related to health or symptoms (e.g. skin rash)
Directly Provided
Medication Information
  • Details of medications being taken to treat condition
Directly Provided
Survey Responses
  • Depending on the needs of healthcare providers, surveys can be developed and introduced into applications.
Directly Provided
Healthcare provider submitted data
  • Patient Identifier (where necessary to associate with clinical systems)
  • Test results
Authorised Third Party
Location
  • Used to associate air quality data to the user when activated and opted-in.
Automatically recorded
Activity Data
  • Step count via accelerometer
  • Interaction with patientMpower application (to ensure timely prompts etc.)
  • Data obtained via integration with 3rd party services such as Fitbit, Apple Health, or Google Fit
Automatically recorded
Technical Data [This is indirectly personal data as it can be associated to an app user or device]
  • Device type, operating system
  • Features used in application
  • Logs of date/time of interaction
  • Details of app crashes or failures
Automatically recorded

 

Permissions Requested by the patientMpower App

Depending on the version of the patientMpower app you are using different permissions may be asked for to access features or functionality on your device or from 3rd party services.

PermissionPurpose
Remote Push NotificationsThis allows our app to send you push notifications using third party services (Mixpanel and Airship). The reason we need to do this is to send you prompts associated with your care and with the correct use of the app and any devices that might be connected with it (e.g. a spirometer).
Access Bluetooth when in useThis is necessary to allow connection to Bluetooth enabled medical devices such as Pulse Oximeters, Spirometers, or Blood Pressure monitors.
Apple HealthKit (Read & Write)This allows patientMpower to read or write data to or from Apple Health and allows us to obtain data from other health devices connected to Apple Health (for example a Apple Health connected thermometer or smart watch).
Google FitSome versions of our app enable users to connect to Google Fit to allow access to data from fitness trackers or smartwatches connected to Google Fit. This data is used to derive data about patient well being and quality of life as part of post-discharge treatment protocols defined by our clinical customers
FitbitSome versions of our app enable users to connect to Fitbit. This allows access to data logged using a Fitbit smartwatch to provide data on patient health and key metrics related to their care.
Location When In UseIn some versions of our app the user’s location is logged when they are using the app. This data is used for purposes including assessing air quality implications for patients with CF or lung transplant as part of clinical care.

Personal Information (PII) and Personal Health Information (PHI) (for United States)

patientMpower processes Personal Information (PI) and Personal Health Information (PHI) as a necessary part of the operation of our services to support the delivery of patient care and, subject to appropriate consents, to support research activities by approved researchers.

Processing data relating to children

Our applications are intended for use by persons 18 years of age or older, except where the use is prescribed by or recommended by an appropriately qualified healthcare professional.

We do not knowingly collect data from children under the age of 14 through our apps, except where the use of the application is prescribed or recommended by an appropriately qualified healthcare professional.

Telemedicine falls within the definition of an Information Society Service under EU law. Therefore, where a child under the age of 16 (or lower in other EU Member States) is consenting to the use of the application or service, this consent must be validated by an individual with parental authority.

If you discover that your child has been using our apps without your consent, or someone has been using the apps on behalf of your child without your consent, please contact us using the information below in the “Contacting Us” section or email dataprotection@patientmpower.com and we will take steps to delete the information from our databases. Additionally, you can delete information from the app directly.

How we use your data (and our legal basis for processing)

PurposeLegal Basis Relied On

Provision of the Healthcare Service

  • Processing of personal data and data relating to health to support delivery of patient care
  • Processing is necessary for the performance of a contract to which the data subject is party
  • Explicit Consent
  • Processing is necessary for the purposes of preventive or occupational medicine, or medical diagnosis
Order Fulfilment
  • Processing is necessary for the performance of a contract to which the data subject is party
  • Consent
Customer Service and Support
  • Processing is necessary for the performance of a contract to which the data subject is party
  • Consent
  • Explicit consent (where data relating to health is processed as part of the Customer service purpose)
Technical Support
  • Processing is necessary for the performance of a contract to which the data subject is party
  • Consent

Explicit consent (where data relating to health is processed as part of the Technical Support purpose)

Analysis of Application performance
  • Legitimate interests of patientMpower to improve our products, fix bugs in our applications, troubleshoot customer queries, and ensure high performance of our products.
Research and Development for patientMpower
  • Explicit Consent if identifiable personal data is being used
  • Users consent to being included in sample populations for deidentified internal research and development activities.
Clinical research 
  • Explicit Consent if identifiable personal data is being used
  • Users consent to being included in sample populations for de-identified research.

Whenever possible de-identified or anonymised data is used for clinical research with approved research partners.

Categories of data processors

patientMpower makes use of several different categories of data processors to help us deliver our services.

CategoryDetails of Processors
Application hostingWe use AWS hosting in the EU (Ireland) as our main hosting provider, with our US apps hosted by AWS in the US. Specific instances of patientMpower applications may, from time to time, be hosted in other environments due to specific requirements of clients.
Website HostingOur website is hosted with WordPress
AnalyticsWe use third party analytics services such as Mixpanel and Firebase in our apps to help track how users use our services so we can optimise and improve services and apps, as well as for testing, troubleshooting, and clinical safety purposes
Logistics & Order FulfilmentDepending on the application and the requirements of clients, patientMpower may engage 3rd party logistics operators to distribute additional devices necessary for the use of the application such as pulse oximeters or spirometers to patients.
Back Office SystemsWe use a variety of software systems such as Google Work and Atlassian for our administrative and operations processes.
ComplianceWe engage specialist third party service providers to assist us with Data Protection Compliance, Information Security management, and other related matters.
Technical SupportWe engage relevant third-party service providers to provide technical support to our users, both individuals and healthcare providers.
Customer ServiceWe engage relevant third-party service providers to customer service and support to our users, both individuals and healthcare providers, such as Intercom and Hubspot. 

Who has access to your data

patientMpower may provide personal data to the following categories of recipient:

  • To healthcare providers, through a secure monitoring portal or through integration with their healthcare record systems. Your authorisation will be sought before any transfer of data to another platform.
  • To law enforcement agencies or regulatory authorities on receipt of a valid court order or where expressly required under legislation and only to the extent required by law.
  • To third parties where necessary to comply with a court order
  • In the event of a corporate sale, merger, reorganisation, sale of assets, dissolution, or other business-related event, your information may be transferred as part of the assets of patientMpower.

De-identified and anonymised data is provided to approved clinical research partners for the purposes of conducting research in respect of treatment and management of conditions. These studies are carried out under appropriate research conditions and are subject to independent ethics approval through our research partners.

How long we keep your data

patientMpower retains identifiable data for the duration of your treatment or use of the application plus any retention period that may be defined by:

  • Data retention requirements for clinical data as may be specified by healthcare providers
  • Legal requirements set out in legislation or regulatory guidance in jurisdictions in which our services are provided
  • Periods that are reasonably necessary for business and legal purposes.

We will also keep data which cannot directly or indirectly identify living individuals for analytics and research purposes to help improve our products and services.

Keeping your data safe and secure

We place great importance on the security of all personal data associated with our users. We have security measures in place to attempt to protect against the loss, misuse and alteration of personal information under our control.

patientMpower is designed with stringent security protocols. It uses state-of-the art electronic surveillance and multi-factor access control systems. All data transport between your app and our servers is encrypted. Data is encrypted in transit using HTTPS and TLSv.1.2, and encrypted at rest on AWS using AES 256 encryption.

We use a risk management process based on a Health Insurance Portability and Accountability Act (HIPAA) template. It allows us to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by patientMpower, and also implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with HIPAA standards.

Periodic reviews of our security standards are carried out and our software development process has a checkpoint to identify new risks when we define / develop new features.

However, with any electronic transmission and storage of data comes risks and we cannot guarantee that our databases, or those of our third-party affiliates, will be 100% secure. There is also a risk of data being intercepted while being transferred over the internet. 

In the event of a breach of data security, patientMpower will:

  • Immediately inform any relevant health care provider for whom we are acting as a Data Processor in the delivery of care and engage with their Data Security Incident response processes as required.
  • Where we are acting as a Data Controller, we will notify without undue delay the relevant Supervisory Authority where we identify that there is a risk to the fundamental rights and freedoms of people using our applications or services
  • Where we are acting as a Data Controller and we identify a high risk to your rights and freedoms is identified we will notify you of the incident without undue delay.

Automated decision making and profiling

The operation of the patientMpower applications and services does require the processing of data for profiling and does make use of automated decision making to identify usage patterns in the app and ensure notifications are sent to users to remind them to record health data (e.g. take blood pressure) or to support prompts and alerts to help users use the application or associated measurement devices or medical equipment correctly (for example: alerting users if their spirometry test did not meet the required quality).

No decisions are taken based solely on automated decision making which would have a legal or equally significant impact on a user as these applications and services are used as part of a clinical treatment regime overseen by healthcare professionals.

Your rights under GDPR

Where patientMpower is acting as a Data Controller, you have rights under EU Data Protection law.  These rights are:

  • A right of access which allows you to request a copy of your data in an intelligible form (Article 15 GDPR)
  • A right of rectification which allows you to request a correction of errors or inaccuracies in the data that we hold relating to you (Article 16 GDPR)
  • A right to object to processing and to “opt-out” of having your data processed by us on the basis of our legitimate interests or a public interest basis unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. (Article 21 GDPR)
  • A right to erasure in certain specified circumstances. This right does not apply where we are processing data for compliance with a legal obligation, for reasons of public interest in relation to public health, for archiving purposes for historical or scientific research, or where necessary to establish or defend legal claims (Article 17)
  • A right to restrict processing in certain circumstances (Article 18)

To do any of these things, please email us at dataprotection@patientmpower.com. We’ll ask you for proof of identity. Data protection laws give us one month to get back to you. Under GDPR individuals also have rights to seek compensation for infringement of their data protection rights under the legislation.

Right to complain to the Data Protection Commission

You have the right to file a complaint to the Irish Data Protection Commission. 

Their contact information can be found online at this link: https://dataprotection.ie/en/contact/how-contact-us

Compliance with HIPAA (US)

patientMpower complies with HIPAA through our application of an appropriate risk management framework in line with our business associate agreements entered into with clients who are US Healthcare providers and covered entities under HIPAA.

COPPA

For the purposes of the United States COPPA rule, parental consent is required for the use of our applications or services by any person under the age of 13. We do not knowingly collect data from children under the age of 13.