Effective: May 25, 2018 – Last Modified: June 27, 2019
Information We Collect
Information You Provide to Us. In order to take advantage of certain Services or features offered or provided on the Services, you may be asked to provide personal information. For example, we may collect your name and email address when you submit your information through the “Contact Us” functionality. While you are not obligated to provide us this personal information, your ability to use certain Services or features may be limited if you do not.
Information From Third-Party Sources. We may receive information about you from publicly and commercially available sources, as permitted by law, which we may combine with other information we receive from or about you.
How We Use Information
To Provide and Manage the Services You Request and Better Understand our Users. This includes, for example, enabling you to participate in features provided by the Services. We also may use information we gather to better understand and serve users and to improve our services.
To Contact You. We may use your personal information to respond to questions you submit via the Services or to communicate with you regarding news, updates, or educational and marketing materials. You may opt out of receiving commercial email messages from us by following the instructions in those messages.
To Protect the Rights of the Services and Others. We may use your information as we believe is necessary or appropriate to protect, enforce, or defend the legal rights, privacy, security, safety, or property of the Services, its employees or agents, or other users, and to comply with applicable law.
Sharing of Information
Affiliates. We may share information within our family of affiliated companies.
Service Providers. We rely on third parties to perform a variety of services for us, such as providing data analysis. To do so, we may need to provide your information to those businesses.
Other Parties When Required by Law or As Necessary to Protect Our Services. We may share information when we have reason to believe that doing so is necessary to identify, contact, or bring legal action against someone who may be causing injury to or interference with the rights or property of us, other visitors, or anyone else that could be harmed by such activities. We may also share your information where otherwise required or permitted by law or legal process.
Other Parties in Connection With a Corporate Transaction. We may transfer information collected on the Services in the event that we sell or transfer all or a portion of our business or assets to a third party in connection with a corporate transaction or bankruptcy.
We may otherwise use information and share information about you with third parties with your consent. We also may provide to third parties information that is not directly identifiable as connected to you, such as information that has been aggregated.
Third Parties that Provide Content or Functionality. When you use our Services, third party service providers may collect or receive certain information about you and/or your use of the Services, including through the use of tracking technologies. These third parties may use your information consistent with their own privacy policies. Some of these companies participate in industry-developed programs designed to provide consumers choices regarding targeted advertising. Please visit the websites operated by the Network Advertising Initiative and Digital Advertising Alliance to learn more.
International Transfers and Rights
If you are located in a jurisdiction that specifies relevant legal grounds for processing personal information, the legal grounds for our processing activities are to perform our contract(s) with you; to meet your legal obligations; and for our legitimate business purposes, such as to maintain the privacy, security, safety, or property of the Services and in relation to any sale or transfer of all or a portion of our business. You may have certain rights as a data subject under applicable law. For example, you may have the right to access, update, or correct inaccuracies in the personal information we hold about you, subject to certain exceptions prescribed by law. If you would like to exercise these rights, please contact us at:
Foundation Medicine, Inc.
150 Second Street
Cambridge, MA 02141
You may lodge a complaint with the relevant supervisory authority if you consider that our processing of your personal information infringes applicable law. Contact details for all EU Supervisory Authorities can be found here.
If you have questions about our privacy practices, please contact us at the following:
Foundation Medicine, Inc.
Data Protection Officer: Karen Schorr
150 Second Street
Cambridge, MA 02141
FMI Germany GmbH
Data Protection Officer: Angelika Kroemer
Nonnenwald 2, Building 433
D-82377 Penzberg, Germany
Other Important Information
Linked Services. The Services may link to sites operated by third parties or offer content developed and maintained by third parties. We are not responsible for the privacy practices of these third parties.
Children’s Privacy. We do not knowingly collect any personal information from children under the age of 13 without parental consent, unless permitted by law. If we learn that a child under the age of 13 has provided us with personal information, we will delete it in accordance with applicable law.
Your California Privacy Rights. California residents are entitled once a year, free of charge, to request and obtain certain information regarding our disclosure, if any, of certain categories of personal information to third parties for their direct marketing purposes in the preceding calendar year. We do not share personal information with third parties for their own direct marketing purposes.
Do Not Track Signals. Some web browsers may transmit “do not track” signals to the websites and other online services with which a user communicates. Because there currently is no industry standard that governs what, if anything, websites should do when they receive these signals, we currently do not take action in response to these signals.
Use of Personally Identifiable Information (PII)
Information submitted to Foundation Medicine through web forms or e-mail will be managed according to Foundation Medicine’s Privacy and Security policies.
No Unlawful or Prohibited Use
Personal and Non-Commercial Use
The Site is intended for personal, non-commercial use. The Site and its content are protected by United States copyright law. Except as specifically permitted, you may not copy, modify, distribute, transmit, display, publish, reproduce, license, create derivative works from, or sell any information obtained from the Site.
Forward Looking Statements
The Site contains forward-looking statements about our business. You should not place undue reliance on forward-looking statements as these statements are based upon our current expectations, forecasts and assumptions and are subject to significant risks and uncertainties. These statements may be identified by words such as “may,” “will,” “should,” “could,” “expect,” “intend,” “plan,” “anticipate,” “believe,” “estimate,” “predict,” “potential,” “forecast,” “continue” or the negative of these terms or other words or terms of similar meaning. We may also make forward-looking statements in other reports, in presentations, in materials delivered to stockholders and in press releases. In addition, our representatives may from time to time make oral forward-looking statements.
Risks and uncertainties that could cause our actual results to differ materially from those set forth in any forward-looking statements include, but are not limited to, the matters listed under “Risk Factors” in our annual report on Form 10-K, quarterly reports on Form 10-Q and our other filings with the Securities and Exchange Commission. These reports are available at www.sec.gov or by contacting our investor relations department at email@example.com.
Statements, including forward-looking statements, speak only to the date they are posted or provided (unless an earlier date is indicated), and we do not undertake any obligation to publicly update any statements, including forward-looking statements, whether as a result of new information, future events or otherwise.
Links to Other Web Sites
The Site may contain hyperlinks or references to websites owned, operated, or controlled by other parties. Foundation Medicine does not endorse, warrant, or guarantee the products, services, or information described or offered on other parties’ websites and is not liable for any damages or injury arising from such content. Foundation Medicine does not control the content of other parties’ websites and provides these links as a convenience only. Accessing any other website is undertaken at your own risk, and Foundation Medicine is not responsible for the completeness, accuracy, or reliability of any information, data, opinions, advice or statements made on these websites.
Unauthorized use of any Foundation Medicine trademark, service mark, or logo may be a violation of federal and state trademark law. Foundation Medicine products, service marks, and logos referenced by the Site are trademarks or registered trademarks of Foundation Medicine and/or its affiliates in the United States and other countries. Other trademarks, products, service marks, or logos are the property of their respective owners.
The Site Does Not Provide Medical or Professional Services Advice
The medical information contained on the Site is presented for the purpose of general education for the public regarding cancer genomics and diagnostic testing, personalized cancer care, genomic research, and other general information concerning Foundation Medicine. No information provided on the Site is intended to constitute medical advice, instruction for medical diagnosis, or instruction for medical treatment. Any information provided on the Site should not be considered complete, nor should it be relied on to suggest a diagnosis or course of treatment for a particular individual. Information received from the Site should not be relied upon for personal, medical, legal, technical, or financial decisions. It should not be used in place of the consultation or advice of a physician or other qualified healthcare provider. Should you have any healthcare related questions, please consult with your physician or other qualified health care provider promptly. The information contained on the Site is compiled from a variety of sources. Foundation Medicine does not, through the Site or otherwise, directly or indirectly practice medicine, render medical advice, or provide medical services.
Foundation Medicine makes no representations or warranties about the suitability, reliability, availability, timeliness, completeness, or accuracy of the information, services, or related graphics contained on the Site for any purpose. All such information, services, and related graphics are provided “as is” without warranty of any kind. To the fullest extent permitted by law, Foundation Medicine and its officers, directors, employees and agents hereby disclaim all express or implied warranties and conditions with regard to the information, services, and related graphics, including all implied warranties or conditions of merchantability, fitness for a particular purpose, title, and non-infringement.
Limitation of Liability
In no event shall Foundation Medicine be liable for any direct, indirect, punitive, incidental, special, or consequential damages or any claim for lost profits or lost data arising out of or in any way connected with the use or performance of the Site, or with any delay or inability to use the Site, whether arising in contract, tort, negligence, strict liability, or otherwise, even if Foundation Medicine has been advised of the possibility of damages. This limitation of liability shall apply to the fullest extent permitted by law in the applicable jurisdiction.
The information and services included in or available through the Site may include inaccuracies or typographical errors. Foundation Medicine may make revisions, improvements, and/or changes to the Site at any time without notice but expressly disclaims any obligation to update such information.
How We Use Protected Health Information
Foundation Medicine uses Protected Health Information to deliver medical information to physicians to assist them in the treatment of their patients.
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Foundation Medicine is committed to obtaining, maintaining, using and disclosing patient protected health information in a manner that protects patient privacy. We urge you to read this Notice of Privacy Practices (“Notice”) carefully in order to understand both our commitment to the privacy of your protected health information and your rights.
Foundation Medicine is required by law to maintain the privacy of your protected health information and to provide you with a notice of our legal duties and privacy practices with respect to protected health information. This Notice describes how we may use and disclose your protected health information to carry out treatment, payment or health care operations and for other specified purposes that are permitted or required by law. The Notice also describes your rights with respect to your protected health information. “Protected health information” or “PHI” is information about you, including basic demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.
We are required to follow the terms of this Notice. We will not use or disclose your PHI without your permission, except as described in this Notice. We reserve the right to change our practices and this Notice as and to the extent permitted by law and to make a new Notice effective for all PHI we maintain. Upon your request, we will provide you with a copy of the revised Notice.
Examples of How We Use and Disclose Protected Health Information About You
Your PHI may be used and disclosed for treatment, payment, healthcare operations, and other purposes permitted or required by law. If we wish to use or disclose your PHI for other
purposes, we would have to obtain your authorization. We may, however, use or disclose your PHI without specific authorization or permission for certain purposes, including:
Treatment: We may use your health information to provide and coordinate the treatment and services you receive. For example, we may use your information to perform diagnostic tests, or provide your test results to your physician.
Payment: We may use and disclose your health information to others for purposes of billing and receiving payment for treatment and services that you receive. For example, we will submit a claim to you or your health plan/insurer that includes information that identifies you and the type of services we performed for you.
Health Care Operations: We may use or disclose your PHI in order to support the operations of our laboratories and monitor, evaluate and improve the quality of the services we provide, and for other internal management purposes. For example, we may use information in your health record to evaluate the services our laboratories provide or to train our staff.
To Communicate with Individuals Involved in Your Care or Payment for Your Care: We may disclose to a family member, other relative, close personal friend or any other person you identify, PHI directly relevant to that person’s involvement in your care or payment related to your care.
Minors’ Protected Health Information: As permitted by federal and state law, we may disclose PHI about minors to their parents or guardians.
Business Associates: There are some services provided by Foundation Medicine through contracts with business associates (e.g., billing services), and we may disclose your PHI to our business associate so that they can perform the job we have asked them to do. To protect your information, however, we require the business associate to appropriately safeguard your information.
Food and Drug Administration (FDA): We may disclose to the FDA, or persons under the jurisdiction of the FDA, PHI relative to adverse events with respect to drugs, foods, supplements, products and product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.
Worker’s Compensation: We may disclose your PHI to the extent authorized by and to the extent necessary to comply with laws relating to worker’s compensation or other similar programs established by law.
Public Health: As required by law, we may disclose your PHI to public health or legal authorities charged with preventing or controlling disease, injury, or disability.
Law Enforcement: We may disclose your PHI for law enforcement purposes as permitted by law, or in response to a valid subpoena or court order.
As Required by Law: We will disclose your PHI when required to do so by federal, state, or local law.
Health Oversight Activities: We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, and inspections
necessary for licensure and for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Judicial and Administrative Proceedings: If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose PHI in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made, either by the requesting party or by us to tell you about the request or to obtain an order protecting the information requested.
Research: Researchers may be given limited access to your PHI on-site at Foundation Medicine so that they can develop research projects and identify patients who may potentially qualify to participate in research studies. Any other uses or disclosures of your PHI for research purposes are only permitted once an institutional review board or privacy board has reviewed the research proposal, determined whether you need to provide specific consent for the research use of your PHI and established protocols to ensure the privacy of your information, or determined that the researcher will be provided only with information that does not identify you directly.
De-Identified Information: We may use your health information to create “de-identified” information, which means that information that can be used to identify you will be removed. There are specific rules under the law about what type of information needs to be removed before information is de-identified. Once information has been de-identified as required by law, it is no longer subject to this policy, and we may use it for any purpose without any further notice or compensation to you.
Coroners, Medical Examiners, and Funeral Directors: We may release your PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also disclose PHI to funeral directors consistent with applicable law to enable them to carry out their duties.
Organ or Tissue Procurement Organizations: Consistent with applicable law, we may disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplant.
Personal Representative: We may use or disclose your PHI to your personal representative, as established under applicable law, or to an administrator, executor or other authorized individual associated with your estate.
Correctional Institution: If you are or become an inmate of a correctional institution, we may disclose to the institution or its agents PHI necessary for your health and the health and safety of other individuals.
To Avert a Serious Threat to Health or Safety: We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
Military and Veterans: If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority.
Specialized Government Functions: Under certain circumstances, we may disclose your PHI to units of the government with specialized functions such as the U.S. Military or the U.S. Department of State in response to requests as authorized by law.
Victims of Abuse or Neglect: We may disclose PHI about you to a government authority if we reasonably believe you are a victim of abuse or neglect. We will only disclose this type of information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or someone else.
Other Uses and Disclosures of PHI
We will obtain your written authorization before using or disclosing your PHI for purposes other than those described above, including uses and disclosures of PHI for marketing purposes and disclosures that would constitute a sale of PHI. You may revoke this authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI, except to the extent that we have already taken action in reliance on the authorization.
Breach Notification: We are required by law to notify you if we discover a breach of unsecured PHI, unless we can demonstrate, based on a risk assessment, that there is a low probability that the PHI was compromised. If a breach happens, we will notify you as soon as we can, and are required by law to notify you within 60 days after we learn of the breach. We will let you know what happened and what you can do to mitigate any potential harm.
Your Health Information Rights
Obtain a paper copy of the Notice upon request. You may request a copy of our current Notice at any time from the Privacy Officer. Even if you have agreed to receive the Notice electronically, you are still entitled to a paper copy.
Request a restriction on certain uses and disclosures of PHI. You have the right to request additional restrictions on our use or disclosure of your PHI for treatment, payment or health care operations activities, or to individuals involved in your care, by sending a written request to Foundation Medicine’s Privacy Officer. We are not required to agree to those restrictions, unless the disclosure is not required by law and you paid for the service in full out of pocket.
Request an amendment of PHI. If you feel that PHI we maintain about you is incomplete or incorrect, you may request that we amend it. To request an amendment, you must send a written request to the Privacy Officer. You must include a reason that supports your request. In certain cases, we may deny your request for amendment. For example, in circumstances under which the patient would be denied access to his/her PHI, we may deny a request for amendment.
Receive an accounting of disclosures of PHI. You have the right to receive an accounting of the disclosures we have made of your PHI. The right to receive an accounting is subject to certain exceptions, restrictions, and limitations. To request an accounting, you must submit a request in writing to the Privacy Officer. Your request must specify the time period for which you would like an accounting, but this time period may not be longer than six years, and a shorter period may apply for some disclosures.
Request communications of PHI by alternative means or at alternative locations. You have a right to request to receive communications of PHI by alternate means or at alternate locations. For instance, you may request that we contact you about medical matters o
different residence or post office box. To request confidential communication of your PHI, you must submit a request in writing to the Privacy Officer. Your request must state how or where you would like to be contacted. We will accommodate all reasonable requests.
For More Information or to Report a Problem
If you have questions or would like additional information about our privacy practices, you may contact:
Foundation Medicine, Inc. Privacy Officer 150 Second Street Cambridge, MA 02141 firstname.lastname@example.org
If you believe your privacy rights have been violated, you can file a complaint with the Privacy Officer or with the United States Secretary of Health and Human Services. There will be no retaliation for filing a complaint.
Privacy Shield Certification:
The Privacy Shield includes two frameworks, a European Union/United States program implemented to ensure the protection of personal information (PI) transferred from European Union Member States to the U.S and a similar Swiss-U.S. program for similar transfers of PI from Switzerland to the U.S. The types of PI protected under the Privacy Shield frameworks include Human Resources (HR) PI for employees and Non-HR PI. An organization in the U.S. intending to receive PI from E.U. Members or Switzerland can self-certify to the respective Privacy Shields; this is recognized by E.U. Members and Switzerland as meeting the minimum requirements of data protection for PI transfers from any of those jurisdictions to the U.S. We comply with the E.U.-U.S. and Swiss-U.S. Privacy Shield Frameworks, and commit to adhering to the seven Privacy Shield Principles when receiving Non-HR and HR PI from E.U. Members or Switzerland. For our Privacy Shield participation, we are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. Information on the Privacy Shield program and a list of participants may be found at www.privacyshield.gov. Among the requirements of the Principles, we will adhere to the following:
• We will only use the select Non-HR PI and HR PI (such as name, address, date of birth, gender, and certain health information) we collect for the purposes of providing our products and services or other purposes consistent with your authorization or consent. We will notify patients whose Non-HR PI may be transferred to the U.S. from E.U. Members and/or Switzerland of our self-certification to the Privacy Shield, including what steps we take to protect such PI. We will also notify patients whose Non-HR PI may be transferred to the U.S. from E.U. Members and/or Switzerland that we may be required to disclose PI in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We will provide the same types of notice to employees whose HR PI may be transferred to the U.S. from E.U. Members and/or Switzerland;
• We will provide patients & employees whose PI will be transferred to the U.S. from E.U. Members and/or Switzerland an opportunity to opt into and/or out of certain disclosures, including transfer of PI to a third party. If any E.U. Member/Swiss PI is transferred to a third party, such third party will also adhere to the Principles and enter into any required contractual arrangements as provided in the Privacy Shield. We remain liable under the Privacy Shield Principles if our agents process Non-HR PI or HR PI inconsistent with the principles, unless we are not responsible for the event giving rise to the damage;
• We will ensure that patients & employees whose PI has been transferred to the U.S. from E.U. Members and/or Switzerland have the opportunity to review and amend their own PI (where it remains PI, i.e., in identifiable form) by contacting us at email@example.com or in writing at Foundation Medicine, Inc., Privacy Officer, 150 Second St., Cambridge, MA 02141;
• We will adhere to an independent recourse mechanism for cases of complaints regarding the handling of Non-HR PI transferred to the U.S. from E.U. Members and/or Switzerland. Complaints may first be directed to Foundation Medicine at the contact information provided below. Should your complaint fail to be resolved, you may file a complaint, free of charge, with the US-based independent recourse mechanism JAMS at https://www.jamsadr.com/eu-us-privacy-shield. Should your complaint fail to be resolved through the independent recourse mechanism, you may file a complaint with your data protection authority which will raise the matter with the U.S. Department of Commerce. Should your complaint still fail to be resolved, you may have a right to invoke binding arbitration. Please contact us at the information provided above for more information; and
• We have committed to cooperate with EU data protection authorities (DPAs) and Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning HR PI transferred to the U.S. from E.U. Members and/or Switzerland in the context of the employment relationship. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs or FDPIC for more information or to file a complaint. The services of EU DPAs and FDPIC are provided at no cost to you. Should your complaint fail to be resolved by the EU DPAs or FDPIC, you may have a right to invoke binding arbitration. Please contact us at the information provided above for more information.