ARUP Laboratories (ARUP) is committed to protecting the confidentiality of your medical and health information (protected health information), as described in this notice, and maintains the privacy of your protected health information as required by law. We have provided this notice to describe our privacy practices relating to protected health information, including how we may use your protected health information within ARUP and how, under certain circumstances, we may disclose it to others outside ARUP. This notice also describes the rights you have concerning your own protected health information. Please review carefully, and if you have questions about any part of this data privacy notice, or if you want more information about the privacy practices of ARUP, please contact the data protection officer listed at the end of this notice.
ARUP is a clinical laboratory organization headquartered and principally operating in the United States. As warranted for ARUP’s services, ARUP receives human specimens, such as blood and urine, in connection of the following services:
- Clinical laboratory services: ARUP performs a wide variety of clinical tests (including genetic) on specimens (e.g., blood, tissue, urine, etc.) as ordered through physicians, healthcare providers, hospitals, clinics, and clinical trial organizations.
- ARUP will ONLY be a data processor or sub-processor.
The personal data that ARUP collects in relation to its services is limited to that which is appropriate and proportionate to the reason for data collection. The information that we collect in connection with clinical laboratory services generally includes the individual’s name, the name and contact details of the physician and/or healthcare organization ordering the tests, the contact details of any other physicians who are identified by the requester to receive the results, the insurance (or other billing) information if necessary, the tests requested, and relevant associated information, such as gender, as warranted for services, age and/or date of birth. Most testing requests received for clinical trials are pseudonymized and are exempt from these regulations.
ARUP uses the personal data of patients and other individuals only for the purposes intended by the healthcare professionals, other organizations, or insurers who share the data with ARUP, such as to perform the requested testing, return the results as instructed by them, facilitate proper invoicing and payment, and/or to ensure proper quality checks and accuracy in our practices. If an individual or caregiver contacts us directly with a question or inquiry, we will use your data for purposes of providing a response (after proper authentication). ARUP may also use the data collected to fulfill our regulatory and legal obligations, such as in relation to audits, checking to ensure that our testing equipment is working properly, and to comply with oversight agency inspections. In accordance with applicable laws, various de-identified or anonymized data may also be used to aid in tracking health trends and needed areas of research.
Access Limitations and Sharing Your Data
Access to personal data received in connection with the services described in this notice is strictly limited to ARUP workforce members and contractors who require access in relation to their job responsibilities. Individuals are trained in advance on the privacy and security requirements that apply to handling patient and other personal data. Contractors are required pursuant to the terms of their agreements to follow all measures required by law to ensure personal privacy.
We may also share certain personal data received in relation to the services described in this notice with third parties working with ARUP, such as third-party laboratories with whom we have collaborations for performing certain specialized laboratory testing. We never sell or share personal data pertaining to patients or other individuals with third parties for their own separate use.
To the extent that we are required to provide access to any personal data to third parties who are not our business partners, such as in connection with regulatory audits, to fulfill regulatory reporting obligations to health oversight agencies, or in the event of any legal situations, we take steps to limit the data to what is required for the specific purpose and take steps to ensure that data is adequately safeguarded.
Because ARUP is headquartered in the United States, the personal data that we collect in relation to the services described in this notice is generally processed in the U.S. The data may be stored on secure servers located in the U.S. or elsewhere. As such, your data is only accessible to authorized, limited persons who require access to perform their job responsibilities, and those persons may be located in countries other than your country of residence. Although there are variations in the data protection laws and level of protection of personal data from country to country, ARUP takes steps to ensure that your data is appropriately safeguarded and transferred in a manner consistent with the General Data Protection Regulation (GDPR).
ARUP has appropriate technical and organizational security measures to prevent unauthorized or unlawful disclosure or access to, or accidental or unlawful loss, destruction, alteration or damage to the personal data that it collects about individuals for the services described in this notice. Irrespective of whether the data are stored in paper or electronic form, these measures are intended to ensure an appropriate level of security in relation to the risks inherent to the processing and the nature of the data to be protected, and are also applied in a manner consistent with applicable laws and regulations.
ARUP takes reasonable steps to keep its personal data accurate, complete, and up-to-date in accordance with the purposes for which it was collected. ARUP also relies on the healthcare professionals, insurers, and other individuals who entrust us with personal data for purposes of providing the services described in this notice, to provide accurate information to us, and to amend or update that information if they later determine that it is incomplete or inaccurate.
Individuals whose personal data is collected and processed by ARUP can contact ARUP at the address below for any questions about their data or to exercise their individual rights of access, amendment, objection, or erasure. To protect privacy, we require individuals to authenticate themselves and will provide them with a form to obtain a copy of their data. In accordance with applicable laws, these rights, and particularly the right to amendment, objection, or erasure, are limited. Please contact ARUP’s data protection officer to exercise your rights.
Right to Withdraw Consent (Opt-Out)
In accordance with applicable data protection laws and requirements, ARUP provides individuals with the right to withdraw consent (opt out) in relation to personal data entrusted to us. To do so, you may contact us at firstname.lastname@example.org. For certain commercial or other voluntary programs, you may also withdraw consent or modify your contact preferences via additional options described in the program materials. The right to withdraw consent is not absolute in all contexts and may be limited by legal and regulatory obligations.
ARUP retains the personal data of individuals referenced in this notice consistent with legal and business requirements and then securely disposes of the information.
Questions, Concerns or Complaints
If you have any questions about this notice or have further questions about how ARUP may use and disclose your protected health information, please contact the data privacy officer as set forth below. We welcome your feedback regarding any problems or concerns you have with your privacy rights or how ARUP uses or discloses your protected health information.
Effective: November 30, 2018
Karen M Gauna, CT(ASCP), CHC, CHPC
Data Protection Officer
500 Chipeta Way MS241
Salt Lake City, Utah 84108-1221