Last updated: August 26, 2020
Coriell Life Sciences, Inc. (“CLS,” “we”, or “us”) is a leading and trusted bioinformatics company that bridges the gap between genetic knowledge and clinical application. We are committed to protecting your privacy.
At Coriell Life Sciences, your privacy is our priority – we are committed to protecting the confidentiality of our clients and their members. We take every precaution to maintain the security of DNA samples and the data they generate. Every person that we test always has the right, at any time, to decide where their data is sent and whether or not it can be stored.
What We Analyze
Coriell Life Sciences does not sequence an individual’s entire genome – we study the small fraction that affects drug-to- gene interactions. Each person has 3.2 billion base pairs in their DNA, but very little of those base pairs have been found to be associated with drug-to-gene interactions. In fact, within the small fraction that we analyze – no more than 120 out of 3.2 billion base pairs – there is nothing uniquely identifying about a specific person, and the small part of the genome we sample will not tell us whether you are likely to get a particular disease.
We are committed to protecting and respecting your privacy and complying with the principles of applicable data protection laws. This notice sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.
Coriell Life Sciences is HIPAA-compliant. HIPAA, the Health Information Portability and Accountability Act of 1996, mandates that we meet strict standards for the electronic exchange, privacy, and security of health information. Further, the Genetic Information Nondiscrimination Act (GINA) mandates that an individual’s genetics cannot be held against them by either health insurers or employers.
All personally identifiable information is stripped off from DNA samples and stored in separate databases. The DNA samples collected and the data they generate are tracked using bar-code IDs. Almost all of the person’s DNA sample is consumed during the testing process, and any remaining DNA sample is destroyed. The data analyzed has multiple layers of encryption and Coriell Life Sciences also “salts” the data, sprinkling random data with the actual data.
All results are confidential. Data is held by Coriell Life Sciences and shared only with the reviewing pharmacist, the individual being tested, and that person’s designated healthcare provider. Program administrators are provided only with overall metrics to monitor the success of the initiative.
Coriell Life Sciences has a strong security culture within the team and management. The importance of security is reflected by the senior leadership within the organization. CLS has mature identity and access management practices and permissions are assigned with the principle of “least privilege” giving users fine-grained access tied specifically to what is required to perform their duties. All personnel receive formation security training on an annual basis.
CLS has a rigorous set of policies that the organization follows to ensure consistent practice and protect CLS and its customer’s confidentiality, integrity, and availability.
Information that you provide to CLS through the website is encrypted using industry-standard Secure Sockets Layer (SSL) technology. Your information is processed and stored on controlled servers with restricted access. We do not and cannot control the security of information as you transmit it to us and therefore are not responsible for any data that is compromised or lost during transmission. Please use your discretion regarding the types of information you send and the security of the device and network you are using.
Our website is directed at an adult audience. By using the website, you certify that you are not under the age of 18. We will not knowingly collect or use any personal information from any child under the age of 18. If you are aware that we have collected personal information from a child under the age of 18, please notify us. If we become aware that we have collected any personal information from a child under the age of 18, we will promptly remove such information from our databases.
Types of Personal Information Collected
CLS may collect, store, and use personally identifiable information (including your name, email address, and physical address) when you voluntarily submit it to us, such as when you contact us or register on our website or for services.
This website collects cookies, usage data, and geographic position for the purpose of providing the service required by the user, in addition to any other purposes described in the present document.
Use of Personal Information
We may use your personal information to contact you, improve the website and services, provide you with information that you have requested, or provide you with additional information that CLS believes may be of interest to you. We may also use this information to respond to your inquiries, provide you with technical support, and enforce policies governing use of the services. We may combine your information with other information about you that is available to us, including information from third-party sources. CLS will not sell or rent your personal information to any third party for commercial purposes. CLS may share your information with third-party service providers to allow them to perform marketing or other services on our behalf. CLS may disclose your personal information to law enforcement officials, regulatory agencies, or other third parties as we, in our sole discretion, believe necessary or appropriate in connection with an investigation of illegal activity and to enforce our rights, to enforce this policy and other policies governing the Services. CLS may also disclose your information in connection with corporate restructuring, merger, or consolidation with, or sale of substantially all of our assets to a third party.
Aggregate Data Collection
Detailed Information on the Process of Personal Data
Personal data is collected for the following purposes and using the following services.
The services contained in this section enable CLS to monitor and analyze web traffic and can be used to keep track of user behavior.
Google Analytics (Google LLC). Google Analytics is a web analysis service provided by Google LLC (“Google”). Google utilizes the data collected to track and examine the use of this site, to prepare reports on its activities and share them with other Google services. Google may use the data collected to contextualize and personalize the ads of its own advertising network.
Personal Data collected: Cookies and usage data.
This site may collect, use, and share user location data in order to provide location-based services.
Most browsers and devices provide tools to opt-out from this feature by default. If explicit authorization has been provided, the user’s location data may be tracked by this site.
The geographic location of the user is determined in a manner that isn’t continuous, either at the specific request of the user or when the user doesn’t point out its current location in the appropriate field and allows the application to detect the position automatically.
Personal data collected: Geographic position.
CLS may use the personal and usage data collected through this website to create or update user profiles. This type of data processing allows us to evaluate User choices, preferences, and behavior for the purposes outlined in the respective section of this document.
User profiles can also be created through the use of automated tools like algorithms, which can also be provided by third parties. To find out more, about the profiling activities performed, users can check the relevant sections of this document.
The user always has a right to object to this kind of profiling activity. To find out more about the user’s rights and how to exercise them, the user is invited to consult the section of this document outlining the rights of the user.
Rights of the User
To enforce your rights, please use the details provided in the Contact section. In doing so, please ensure that unambiguous identification of your person is possible.
In particular, Users have the right to do the following:
- Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their personal data.
- Object to processing of their data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
- Access their data. Users have the right to learn if Data is being processed by CLS, obtain disclosure regarding certain aspects of the processing, and obtain a copy of the Data undergoing processing.
- Verify and seek rectification. Users have the right to verify the accuracy of their data and ask for it to be updated or corrected.
- Restrict the processing of their data. Users have the right, under certain circumstances, to restrict the processing of their data. In this case, CLS will not process their data for any purpose other than storing it.
- Have their personal data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the owner.
- Receive their data and have it transferred to another controller. Users have the right to receive their data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the data is processed by automated means and that the processing is based on the user’s consent, on a contract which the user is part of or on pre-contractual obligations thereof.
- Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.
Where personal data is processed for public interest, in the exercise of an official authority vested in CLS, or for the purposes of the legitimate interests pursued by the owner, users may object to such processing by providing a ground related to their particular situation to justify the objection.
Users must know that, however, should their personal data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn whether the owner is processing personal data for direct marketing purposes, Users may refer to the relevant sections of this document.
Third-party Sites and Information
The website may contain links to third party websites. CLS does not maintain these sites and is not responsible for the data collection or privacy practices of those sites. Refer to the specific privacy statements posted on those sites before using them or sharing information with them. By using our website, you agree that you will only provide personal information of third parties if those parties have expressly consented to your actions.
Additional Information for California Residents
Your California Consumer Privacy Act of 2018 (“CCPA”) Rights. Residents of California may have the following rights:
- Right to Access Your Personal Information. You may request access to the categories and specific pieces of personal information that we collected about you through the website.
- Right to Deletion. Subject to certain exceptions, you may ask us to delete the personal information we collected about you through the website.
- Right to Disclosure. You may request to receive additional details about the sources from which we collect information, the reasons we collect and share information, and the types of third parties with which we share the personal information we collected about you through the website.
- Right to Opt-out of Sales. Under CCPA law, certain types of sharing of personal information may constitute a “sale” of your personal information. We do not sell the personal information we collected about you through the website.
- Right to be Free from Discrimination. You may exercise any of the above rights without fear of being denied goods or services.
If you would like to exercise your CCPA rights with respect to the personal information we collected about you through the website, please contact us by email at firstname.lastname@example.org.
Your Shine the Light California Rights (CA Civil Code §1798.83)
Residents of California who use the website primarily for personal, family or household purposes may request a list of third parties to which certain personal information (as defined by applicable California law) obtained through the website was disclosed by CLS during the preceding year for those third parties’ direct marketing purposes. If you are a California resident and want such a list, please contact us at email@example.com. For such requests, you must put the statement “Your California Privacy Rights” in the body of your request, as well as your name, street address, city, state, and zip code. In your request, you need to attest to the fact that you are a California resident and provide a current California address for our response.
Changes to this Policy
Definitions and Legal References
Personal Data (or Data). Any information that directly, indirectly, or in connection with other information—including a personal identification number—allows for the identification or identifiability of a natural person.
Usage Data. Information collected automatically through this Application (or third-party services employed in this Application), which can include: the IP addresses or domain names of the computers utilized by the users who use this Application, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the user, the various time details per visit (e.g., the time spent on each page within the Application), and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the user’s IT environment.
User. The individual using this Application who, unless otherwise specified, coincides with the data subject.
Data Subject. The natural person to whom the personal data refers.
Data Controller (or Owner). The natural or legal person, public authority, agency, or other body which alone or jointly with others, determines the purposes and means of the processing of personal data, including the security measures concerning the operation and use of this application. The Data Controller, unless otherwise specified, is the owner of this application.
This Application. The means by which the personal data of the user is collected and processed.
Service. The service provided by this Application as described in relative terms (if available) and on this site/application.
Cookies. Small sets of data stored in the user’s device.
If you wish to contact us about your personal data, please contact:
Coriell Life Sciences
4747 South Broad Street
Building 101, Suite 222
Philadelphia, PA 19112
Phone: (888) 415-7834
Notice of Privacy Practices
Your Information. Your Rights. Our Responsibilities.
PLEASE REVIEW CAREFULLY
At Coriell Life Sciences (CLS), we respect the privacy and confidentiality of your protected health information (PHI). We are required by law to maintain the privacy of your health information that CLS creates, requests, or is created on CLS’s behalf, called Protected Health Information (“PHI”) and to provide you with notice of CLS’s legal duties and privacy practices concerning PHI.
This Notice describes how CLS may use and disclose your PHI to carry out health care operations and for other purposes that are permitted or required by law.
You have the right to:
- Get a copy of your paper or electronic medical record.
- Correct your paper or electronic medical record.
- Request confidential communication.
- Ask us to limit the information we share.
- Get a list of those with whom we’ve shared your information.
- Get a copy of this privacy notice.
- Choose someone to act for you.
- File a complaint if your privacy rights have been violated.
You have some choices in the way that we use and share information as we:
- Tell family and friends about your condition.
- Provide disaster relief.
- Include you in a hospital directory.
- Provide mental health care.
- Market our services and sell your information.
- Raise funds.
Our Uses and Disclosures
We may use and share your information as we:
- Treat you.
- Do research.
- Run our organization.
- Work with a medical examiner or funeral director.
- Bill for your services.
- Respond to organ and tissue donation requests.
- Help with public health and safety issues.
- Comply with the law.
When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.
Get an electronic or paper copy of your medical record
- You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this.
- We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.
Ask us to amend your medical record
- You can ask us to amend health information about you that you think is incorrect or incomplete. Ask us how to do this.
- We may say “no” to your request, but we’ll tell you why in writing within 60 days.
Request confidential communications
- You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
- We will say “yes” to all reasonable requests.
Ask us to limit what we use or share
- You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.
- If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.
Get a list of those with whom we’ve shared information
- You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.
- We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.
Choose someone to act for you
- If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We will ensure the person has this authority before we take any action.
For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions.
In these cases, you have both the right and choice to tell us to:
- Share information with your family, close friends, or others involved in your care.
- Share information in a disaster relief situation.
If you are not able to tell us your preference, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety. In these cases, we never share your information unless you give us written permission:
- Marketing purposes
- Most sharing of psychotherapy notes
- Sale of your information
In the case of fundraising, we may contact you for fundraising efforts, but you can tell us not to contact you again.
Our Uses and Disclosures
We typically use/share health information in the following ways. We can use your health information and share it with other professionals who are treating you.
We can use and share your health information to run our practice, improve your care, and contact you when necessary. We can use and share your health information to bill and get payment from health plans or other entities.
For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html.
How else can we use or share your health information?
We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes.
Help with public health and safety issues
We can share health information about you for certain situations such as:
- Preventing disease.
- Preventing or reducing a serious threat to anyone’s health or safety.
- Helping with product recalls.
- Reporting suspected abuse, neglect, or domestic violence.
- Reporting adverse reactions to medications.
We may use and share your information as we do research, comply with the law, respond to organ and tissue donation requests, work with a medical examiner or funeral director.
We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.
We can use or share health information about you:
- For workers’ compensation claims.
- For law enforcement purposes or with a law enforcement official.
- With health oversight agencies for activities authorized by law.
- For special government functions as military, national security, and presidential protective services.
- Respond to lawsuits and legal actions.
- We are required by law to maintain the privacy and security of your protected health information.
- We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
- We must follow the duties and privacy practices described in this notice and give you a copy of it.
- We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.
Changes to the Terms of this Notice
We can change the terms of this notice, and the changes will apply to all information we have about you.
The new notice will be available upon request, in our office, and on our web site: www.coriell.com.
You Have A Right To File A Complaint If You Feel Your Privacy Has Been Violated
If you feel your Privacy Rights have been violated, please ask our staff for a Privacy Complaint Form. Our Security Officer will review the form and promptly notify you of the actions our office will take.
You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775.
If you need to report any issues anonymously please use this link: https://integritycounts.ca/org/corielllifesciences.
We will not retaliate against you for filing a complaint.
Get a copy of this privacy notice. You can ask for a paper copy of this notice at any time.
Coriell Life Sciences
HIPAA Compliance Officer
This Notice of Privacy Practices is effective August 26, 2020.