Obtaining and Documenting Informed Consent for FoundationOne or FoundationHeme Testing
As you know, obtaining and documenting a patient’s informed consent to any type of testing and/or treatment is important. This can be especially true when genetic information is being obtained or otherwise utilized. Various states have specific laws or regulations that may govern the process by which you are to obtain consent for FoundationOne® or FoundationOne® Heme testing. In some cases, these laws and regulations may require specific consent to conduct testing that generates genetic information, to retain and/or use the testing data (even in a HIPAA-compliant de-identified form), or to disclose the fully de-identified information for additional purposes such as de-identified research. In addition, your institution may have its own expectations with regard to how you obtain and document patient consent for this type of testing and the purposes for which the resulting genetic information may be used.
As a reference laboratory, Foundation Medicine relies upon ordering clinicians to obtain informed consent from patients in a manner that will satisfy any applicable legal requirements in their particular state and enable Foundation Medicine to retain patient test data and use de-identified data for research and other appropriate purposes. These consents allow Foundation Medicine to harness the power of the genomic information it aggregates through our testing to enhance our product offerings and better serve ordering oncologists and their patients, as well as to empower researchers working to develop new treatment paradigms and therapies with genomic insights that will advance cancer care. Our Test Requisition Form (TRF) asks you to represent to us that you have obtained informed consent, to the extent it is legally required, that will allow Foundation Medicine to conduct the test, keep a copy of the test results indefinitely, and de-identify the test results for future unspecified research or disclosure of the de-identified results.
In order to support physicians who need or want to obtain a signed consent form from their patients specific to FoundationOne or FoundationOne Heme testing, Foundation Medicine has prepared a template consent form which may be used at your and your institution’s discretion. It is intended to cover the most common requirements imposed with regard to obtaining patient consent for tests like those provided by Foundation Medicine. It is possible, however, that your state may have additional or unique legal requirements. As a result, we recommend that if you elect to use this template consent form, you consider first having it reviewed by relevant personnel at your institution or your legal counsel to ensure that it satisfies any institutional policy requirements as well as any unique laws to which you may be subject.
While we do not expect you to provide Foundation Medicine with copies of completed consent forms, it is important that you let us know—if you are in a state where specific patient consent is legally required—if a patient has refused to grant permission for Foundation Medicine to retain the test results or use or disclose fully de-identified test results for research or other purposes. This will help us better ensure the privacy of patient information and help us meet patient expectations.
You can download the Informed Consent form here.
The materials on Foundation Medicine’s website (FoundationMedicine.com), the FoundationOne website (FoundationOne.com) and Foundation Medicine’s LinkedIn, Twitter, and YouTube pages (collectively, the “Site”) are provided by Foundation Medicine, Inc. (“Foundation Medicine”) as a service to its customers and the general public and shall be used for informational purposes only.
Use of Personally Identifiable Information
Information submitted to Foundation Medicine through web forms or e-mail will be managed according to Foundation Medicine’s Privacy and Security policies.
No Unlawful or Prohibited Use
Personal and Non-Commercial Use
The Site is intended for personal, non-commercial use. The Site and its content are protected by United States copyright law. Except as specifically permitted, you may not copy, modify, distribute, transmit, display, publish, reproduce, license, create derivative works from, or sell any information obtained from the Site.
Forward Looking Statements
The Site contains forward-looking statements about our business. You should not place undue reliance on forward-looking statements as these statements are based upon our current expectations, forecasts and assumptions and are subject to significant risks and uncertainties. These statements may be identified by words such as “may,” “will,” “should,” “could,” “expect,” “intend,” “plan,” “anticipate,” “believe,” “estimate,” “predict,” “potential,” “forecast,” “continue” or the negative of these terms or other words or terms of similar meaning. We may also make forward-looking statements in other reports, in presentations, in materials delivered to stockholders and in press releases. In addition, our representatives may from time to time make oral forward-looking statements.
Risks and uncertainties that could cause our actual results to differ materially from those set forth in any forward-looking statements include, but are not limited to, the matters listed under “Risk Factors” in our annual report on Form 10-K, quarterly reports on Form 10-Q and our other filings with the Securities and Exchange Commission. These reports are available at www.sec.gov or by contacting our investor relations department at email@example.com.
Statements, including forward-looking statements, speak only to the date they are posted or provided (unless an earlier date is indicated), and we do not undertake any obligation to publicly update any statements, including forward-looking statements, whether as a result of new information, future events or otherwise.
Links to Other Web Sites
The Site may contain hyperlinks or references to websites owned, operated, or controlled by other parties. Foundation Medicine does not endorse, warrant, or guarantee the products, services, or information described or offered on other parties’ websites and is not liable for any damages or injury arising from such content. Foundation Medicine does not control the content of other parties’ websites and provides these links as a convenience only. Accessing any other website is undertaken at your own risk, and Foundation Medicine is not responsible for the completeness, accuracy, or reliability of any information, data, opinions, advice or statements made on these websites.
Unauthorized use of any Foundation Medicine trademark, service mark, or logo may be a violation of federal and state trademark law. Foundation Medicine products, service marks, and logos referenced by the Site are trademarks or registered trademarks of Foundation Medicine and/or its affiliates in the United States and other countries. Other trademarks, products, service marks, or logos are the property of their respective owners.
The Site Does Not Provide Medical or Professional Services Advice
Much of the information contained on the Site is presented for the purpose of general education for the public regarding cancer genomics and diagnostic testing, personalized cancer care, genomic research, and other general information concerning Foundation Medicine. Nothing contained on the Site is intended to constitute medical advice, instruction for medical diagnosis, or instruction for treatment. Any information provided on the Site should not be considered complete, nor should it be relied on to suggest a course of treatment for a particular individual. Information received from the Site should not be relied upon for personal, medical, legal, technical, or financial decisions. It should not be used in place of the consultation or advice of a physician or other qualified healthcare provider. Should you have any healthcare related questions, please consult with your physician or other qualified health care provider promptly. The information contained on the Site is compiled from a variety of sources. Foundation Medicine does not, through the Site or otherwise, directly or indirectly practice medicine, render medical advice, or provide medical services.
Foundation Medicine makes no representations or warranties about the suitability, reliability, availability, timeliness, completeness, or accuracy of the information, services, or related graphics contained on the Site for any purpose. All such information, services, and related graphics are provided “as is” without warranty of any kind. To the fullest extent permitted by law, Foundation Medicine and its officers, directors, employees and agents hereby disclaim all express or implied warranties and conditions with regard to the information, services, and related graphics, including all implied warranties or conditions of merchantability, fitness for a particular purpose, title, and non-infringement.
Limitation of Liability
In no event shall Foundation Medicine be liable for any direct, indirect, punitive, incidental, special, or consequential damages or any claim for lost profits or lost data arising out of or in any way connected with the use or performance of the Site, or with any delay or inability to use the Site, whether arising in contract, tort, negligence, strict liability, or otherwise, even if Foundation Medicine has been advised of the possibility of damages. This limitation of liability shall apply to the fullest extent permitted by law in the applicable jurisdiction.
The information and services included in or available through the Site may include inaccuracies or typographical errors. Foundation Medicine may make revisions, improvements, and/or changes to the Site at any time without notice but expressly disclaims any obligation to update such information.
HOW WE USE PERSONAL INFORMATION
Foundation Medicine uses Personal Information to deliver medical information to physicians to assist them in the treatment of their patients.
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Foundation Medicine is committed to obtaining, maintaining, using and disclosing patient protected health information in a manner that protects patient privacy. We urge you to read this Notice of Privacy Practices (“Notice”) carefully in order to understand both our commitment to the privacy of your protected health information and your rights.
Foundation Medicine is required by law to maintain the privacy of your protected health information and to provide you with a notice of our legal duties and privacy practices with respect to protected health information. This Notice describes how we may use and disclose your protected health information to carry out treatment, payment or health care operations and for other specified purposes that are permitted or required by law. The Notice also describes your rights with respect to your protected health information. “Protected health information” or “PHI” is information about you, including basic demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.
We are required to follow the terms of this Notice. We will not use or disclose your protected health information without your written permission, except as described in this Notice. We reserve the right to change our practices and this Notice as and to the extent permitted by law and to make a new Notice effective for all protected health information we maintain. Upon your request, we will provide you with a revised Notice.
Examples of How We Use and Disclose Protected Health Information About You
Your PHI may be used and disclosed for treatment, payment, healthcare operations, and other purposes permitted or required by law. If we wish to use or disclose your PHI for other purposes, we would have to obtain your written authorization. Foundation Medicine may, however, use or disclose your PHI without specific authorization or permission for certain purposes, including:
Treatment: Foundation Medicine may use your health information to provide and coordinate the treatment and services you receive. For example, we may use your information to perform diagnostic tests, or provide your test results to your physician.
Payment: Foundation Medicine may use and disclose your health information to others for purposes of receiving payment for treatment and services that you receive. For example, we will submit a claim to you or your health plan/insurer that includes information that identifies you and the type of services we performed for you.
Health Care Operations: Foundation Medicine may use or disclose your PHI in order to support the operations of our laboratories and monitor the quality of the services we provide. For example, we may use information in your health record to evaluate the services our laboratories provide or to train our staff. In addition, we may contact you as part of a fundraising effort.
To Communicate with Individuals Involved in Your Care or Payment for Your Care: We may disclose to a family member, other relative, close personal friend or any other person you identify, PHI directly relevant to that person’s involvement in your care or payment related to your care.
Minors’ Protected Health Information: As permitted by federal and state law, we may disclose PHI about minors to their parents or guardians.
Business Associates: There are some services provided by Foundation Medicine through contracts with business associates (e.g., billing services), and we may disclose your PHI to our business associate so that they can perform the job we have asked them to do. To protect your information, however, we require the business associate to appropriately safeguard your information.
Food and Drug Administration (FDA): We may disclose to the FDA, or persons under the jurisdiction of the FDA, PHI relative to adverse events with respect to drugs, foods, supplements, products and product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.
Worker’s Compensation: We may disclose your PHI to the extent authorized by and to the extent necessary to comply with laws relating to worker’s compensation or other similar programs established by law.
Public Health: As required by law, we may disclose your PHI to public health or legal authorities charged with preventing or controlling disease, injury, or disability.
Law Enforcement: We may disclose your PHI for law enforcement purposes as permitted by law or in response to a valid subpoena or court order.
As Required by Law: We will disclose your PHI when required to do so by federal, state, or local law.
Health Oversight Activities: We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, and inspections necessary for licensure and for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Judicial and Administrative Proceedings: If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose PHI in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made, either by the requesting party or by us to tell you about the request or to obtain an order protecting the information requested.
Research: We may disclose your PHI to researchers when their research has been approved by an institutional review board or privacy board that has reviewed the research proposal and established protocols to ensure the privacy of your information.
Coroners, Medical Examiners, and Funeral Directors: We may release your PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also disclose PHI to funeral directors consistent with applicable law to enable them to carry out their duties.
Organ or Tissue Procurement Organizations: Consistent with applicable law, we may disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplant..
Notification: We may use or disclose your PHI to notify or assist in notifying a family member, personal representative, or another person responsible for your care, regarding your location and general condition.
Correctional Institution: If you are or become an inmate of a correctional institution, we may disclose to the institution or its agents PHI necessary for your health and the health and safety of other individuals.
To Avert a Serious Threat to Health or Safety: We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
Military and Veterans: If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority.
Specialized Government Functions: Under certain circumstances, we may disclose your PHI to units of the government with specialized functions such as the U.S. Military or the U.S. Department of State in response to requests as authorized by law.
Victims of Abuse or Neglect: We may disclose PHI about you to a government authority if we reasonably believe you are a victim of abuse or neglect. We will only disclose this type of information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or someone else.
Other Uses and Disclosures of PHI
We will obtain your written authorization before using or disclosing your PHI for purposes other than those provided for above (or as otherwise permitted or required by law). You may revoke this authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI, except to the extent that we have already taken action in reliance on the authorization.
Your Health Information Rights
Obtain a paper copy of the Notice upon request. You may request a copy of our current Notice at any time from the Privacy Officer. Even if you have agreed to receive the Notice electronically, you are still entitled to a paper copy.
Request a restriction on certain uses and disclosures of PHI. You have the right to request additional restrictions on our use or disclosure of your PHI by sending a written request to Foundation Medicine’s Privacy Officer. We are not required to agree to those restrictions.
Inspect and obtain a copy of PHI. By law, a patient generally has the right to access and copy his/her PHI. However, PHI that is maintained by entities that are subject to the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) is specifically exempted from the right to access, to the extent the provision of access to the patient would be prohibited by law. Since Foundation Medicine is subject to CLIA, the applicable state law provisions may restrict your right to access and copy your PHI. If state law permits access, to inspect and copy your PHI, you must send a written request to the Privacy Officer. We may charge you a fee for the costs of copying, mailing and supplies that are necessary to fulfill your request. We may deny your request to inspect and copy in certain limited circumstances.
Request an amendment of PHI. If you feel that PHI we maintain about you is incomplete or incorrect, you may request that we amend it. To request an amendment, you must send a written request to the Privacy Officer. You must include a reason that supports your request. In certain cases, we may deny your request for amendment. For example, in circumstances under which the patient would be denied access to his/her PHI, we may deny a request for amendment.
Receive an accounting of disclosures of PHI. You have the right to receive an accounting of the disclosures we have made of your PHI for purposes other than treatment, payment, healthcare operations, and certain other activities. The right to receive an accounting is subject to certain exceptions, restrictions, and limitations. To request an accounting, you must submit a request in writing to the Privacy Officer. Your request must specify the time period for which you would like an accounting, but this time period may not be longer than six years.
Request communications of PHI by alternative means or at alternative locations. You have a right to request to receive communications of PHI by alternate means or at alternate locations. For instance, you may request that we contact you about medical matters only in writing or at a different residence or post office box. To request confidential communication of your PHI, you must submit a request in writing to the Privacy Officer. Your request must state how or where you would like to be contacted. We will accommodate all reasonable requests.
For More Information or to Report a Problem
If you have questions or would like additional information about our privacy practices, you may contact:
Foundation Medicine, Inc.
150 Second Street
Cambridge, MA 02141
If you believe your privacy rights have been violated, you can file a complaint with the Privacy Officer or with the United States Secretary of Health and Human Services. There will be no retaliation for filing a complaint.
SAFE HARBOR POLICY
Agent: Any third party that collects or uses personal information provided to Foundation Medicine to perform tasks on behalf of and under the instructions of Foundation Medicine.
Personal Information: Personal Information means any information that identifies or could be used by or on behalf of Foundation Medicine to identify an individual. Personal information does not include information that is in an anonymous or de-identified state, encoded, or publicly available.
Sensitive Information: Sensitive Personal Information requires an extra level of protection. It is commonly considered to specify personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health.
Notice: In situations in which Foundation Medicine collects personal information directly from individuals in the EEA or Switzerland it will notify them of the purposes for which the Personal Information it collects will be used and the types of Agents to which it discloses or may disclose that Personal Information.
In situations in which Foundation Medicine receives Personal Information from other entities or affiliates that are in the EEA or Switzerland, it will use, protect, and disclose this information in accordance with the notices provided by such external entities and the choices of the individuals related to this Personal Information.
Any inquiries or complaints regarding the use or disclosure of personal information should be reported to the Foundation Medicine Privacy Officer at firstname.lastname@example.org.
Choice: Foundation Medicine will offer individuals from the EEA or Switzerland the opportunity to choose (opt out) whether their Personal Information is to be disclosed to a third party that is not an Agent or to be used by Foundation Medicine for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.
For Sensitive Personal Information, Foundation Medicine will give individuals the opportunity to affirmatively or explicitly consent (opt in) to either the disclosure of the information to a third party that is not an Agent or for a purpose other than the purpose for which it was originally collected or has been subsequently authorized by the individual.
Onward Transfers: Foundation Medicine will acquire satisfactory assurances, in writing, that any Agents to which it discloses personal information of individuals from the EEA or Switzerland will safeguard that information consistent with this policy or are subject to law providing the same level of privacy protection.
Security: Foundation Medicine will take reasonable steps through the implementation of appropriate physical, electronic, and managerial procedures to safeguard and secure the Information of individuals from the EEA or Switzerland from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
Data Integrity: Foundation Medicine will only process Personal Information of individuals from the EEA or Switzerland in a manner that is compatible with and relevant to the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Foundation Medicine will take reasonable steps to ensure that Personal Information is accurate, complete, current, and reliable for its intended use.
Access: Foundation Medicine will allow individuals from the EEA or Switzerland reasonable access to their Personal Information upon request to correct, amend, or delete inaccurate information.
Dispute Resolution: Any questions or concerns regarding the use or disclosure of personal information should be directed to the Foundation Medicine Privacy Office at the address given below. Foundation Medicine will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information by reference to the principles contained in this Policy. For complaints that cannot be resolved between Foundation Medicine and the complainant, Foundation Medicine has agreed to participate in the dispute resolution procedures in alignment with Safe Harbor principles facilitated by the International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA).
Enforcement: Foundation Medicine will verify adherence to the privacy practices in this Policy through the performance of compliance reviews on a regular basis.
This Policy may be amended from time to time consistent with the requirements of the Safe Harbor. We will post any revised policy on this Site.
Questions, comments or complaints regarding the Policy or data collection and processing practices can be mailed or emailed to:
Foundation Medicine, Inc.
150 Second Street
Cambridge, MA 02141
Privacy Shield Certification:
The Privacy Shield includes two frameworks, a European Union/United States program implemented to ensure the protection of personal information (PI) transferred from European Union Member States to the U.S and a similar Swiss-U.S. program for similar transfers of PI from Switzerland to the U.S. The types of PI protected under the Privacy Shield frameworks include Human Resources (HR) PI for employees and Non-HR PI. An organization in the U.S. intending to receive PI from E.U. Members or Switzerland can self-certify to the respective Privacy Shields; this is recognized by E.U. Members and Switzerland as meeting the minimum requirements of data protection for PI transfers from any of those jurisdictions to the U.S.
We comply with the E.U.-U.S. and Swiss-U.S. Privacy Shield Frameworks, and commit to adhering to the seven Privacy Shield Principles when receiving Non-HR and HR PI from E.U. Members or Switzerland. For our Privacy Shield participation, we are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. Information on the Privacy Shield program and a list of participants may be found at www.privacyshield.gov. Among the requirements of the Principles, we will adhere to the following:
- We will only use the select Non-HR PI and HR PI (such as name, address, date of birth, gender, and certain health information) we collect for the purposes of providing our products and services or other purposes consistent with your authorization or consent. We will notify patients whose Non-HR PI may be transferred to the U.S. from E.U. Members and/or Switzerland of our self-certification to the Privacy Shield, including what steps we take to protect such PI. We will also notify patients whose Non-HR PI may be transferred to the U.S. from E.U. Members and/or Switzerland that we may be required to disclose PI in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We will provide the same types of notice to employees whose HR PI may be transferred to the U.S. from E.U. Members and/or Switzerland;
- We will provide patients & employees whose PI will be transferred to the U.S. from E.U. Members and/or Switzerland an opportunity to opt into and/or out of certain disclosures, including transfer of PI to a third party. If any E.U. Member/Swiss PI is transferred to a third party, such third party will also adhere to the Principles and enter into any required contractual arrangements as provided in the Privacy Shield. We remain liable under the Privacy Shield Principles if our agents process Non-HR PI or HR PI inconsistent with the principles, unless we are not responsible for the event giving rise to the damage;
- We will ensure that patients & employees whose PI has been transferred to the U.S. from E.U. Members and/or Switzerland have the opportunity to review and amend their own PI (where it remains PI, i.e., in identifiable form) by contacting us at email@example.com or in writing at Foundation Medicine, Inc., Privacy Officer, 150 Second St., Cambridge, MA 02141;
- We will adhere to an independent recourse mechanism for cases of complaints regarding the handling of Non-HR PI transferred to the U.S. from E.U. Members and/or Switzerland. Complaints may first be directed to FMI at the contact information provided below. Should your complaint fail to be resolved, you may file a complaint, free of charge, with the US-based independent recourse mechanism JAMS at https://www.jamsadr.com/eu-us-privacy-shield. Should your complaint fail to be resolved through the independent recourse mechanism, you may file a complaint with your data protection authority which will raise the matter with the U.S. Department of Commerce. Should your complaint still fail to be resolved, you may have a right to invoke binding arbitration. Please contact us at the information provided above for more information; and
- We have committed to cooperate with EU data protection authorities (DPAs) and Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning HR PI transferred to the U.S. from E.U. Members and/or Switzerland in the context of the employment relationship. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs or FDPIC for more information or to file a complaint. The services of EU DPAs and FDPIC are provided at no cost to you. Should your complaint fail to be resolved by the EU DPAs or FDPIC, you may have a right to invoke binding arbitration. Please contact us at the information provided above for more information.