iRhythm Technologies Ltd. and iRhythm Technologies, Inc. ("iRhythm™"), care about your confidentiality and privacy rights and comply with data protection laws to keep your information safe. Please read this patient notice carefully before returning it with your Zio® XT or Zio® AT Patch cardiac monitor to iRhythm.
By returning the Zio patch to us, you acknowledge that you have read and understood this patient notice (as contained in the Zio booklet).
CONFIDENTIALITY AND CONSENT
Your doctor has prescribed the Zio service for you. iRhythm provides the Zio service, which includes long-term heart monitoring and evaluation. Your doctor will, with your consent, start the Zio service by attaching an adhesive monitoring device to your chest. This device will collect your heart rhythm data. Your doctor will collect identification information such as your name, address and date of birth to safely identify your resulting heart rhythm report, and register it on iRhythm’s physician portal. Your heart rhythm data will be sent to iRhythm when you return the Zio patch by post.
iRhythm receives and processes your personal data in confidence to help create a report of the findings. Only iRhythm, your doctor and hospital will have access to this report for the purpose of supporting your direct care. iRhythm may also replace your direct identifying information with a reference number and study your heart rhythm data for two reasons: (i) reporting to your doctor and (ii) improvement of iRhythm services.
How to contact iRhythm
You have the right to object to the disclosure of your personal data. If you wish to do so, or have any question about the processing of your data, please contact the iRhythm Privacy Official through our UK office at 0808 189 3411 or via email at email@example.com. Please also consult your doctor regarding his or her privacy practices.
Calls may be recorded or monitored for training and quality purposes with callers notified prior to being connected with a call handler. When necessary, calls made outside of normal UK working hours may be diverted to iRhythm's support team in the United States.
Here we explain how iRhythm collects and uses your personal data and heart rhythm data during and after your use of the Zio service.
How will iRhythm use personal data it receives about you?
iRhythm processes your personal data for the following purposes and on corresponding lawful basis in connection with providing the Zio service
Your personal data will be used for the purposes set out in this patient notice. If iRhythm needs to use your personal data for an unrelated purpose not set out in this patient notice, we will notify you and where relevant, obtain your consent.
|Purpose||Lawful basis (personal data)||Lawful basis (special 'sensitive' category data)|
|Provision of diagnostic services supported by our use of AI to improve diagnostic accuracy and patient safety. See 'Our use of AI' below, for more information.||Legitimate interest in your health care and in supporting clinical treatment decisions.||Providing preventative medicine and diagnostic services by supporting medical diagnosis for the purpose of healthcare treatment.|
|Improving the quality of diagnostic services including our use of AI to improve diagnostic accuracy and patient safety. See 'Our use of AI' below, for more information.||Legitimate interest in your health care and in supporting clinical treatment decisions.||Management of systems and services providing preventative medicine and diagnostic services.|
|Statistical analysis and reporting.||Legitimate interest in research improving diagnostic and clinical treatment decisions.||Research and statistical purposes.|
|Clinical standards and reporting.||Complying with legal obligations to which we are subject.||Public interest in the area of public health necessary for maintaining standards relevant to healthcare and medicinal products.|
|Patient protection.||Necessary in any emergency situation in order to protect your vital interests (or the interests of another person).||Necessary in any emergency situation to protect your vital interests (or the interests of another person).|
|Assessing, responding to and reporting on patient enquiries, experience, complaints and feedback, including calls to iRhythm’s Customer Support Team.||Necessary for our legitimate interest in service delivery and improvement.Necessary to assess and comply, where applicable with legal obligations.||Where volunteered by you with consent.Public interest in the area of public health necessary for maintaining standards relevant to healthcare and medicinal products.|
Our use of AI
Our use of AI, which follows highly regulated industry standards, helps eliminate the risks of error associated with a purely human review of heart rhythm data. Our diagnostic systems do not use solely automated decision making but support rather than replace, clinician review by drawing upon derived understanding from analysing and comparing thousands of different heart rhythm patterns. This learning helps our software to recognise and flag anomalies for closer inspection by our clinicians, thereby enabling more efficient heart rhythm analysis for faster, more reliable diagnostic outcomes.
We apply rigorous measures to ensure data we use for this purpose is safeguarded under data protection law. Heart rhythm data and associated clinical markers are extracted and processed in a separate environment from your identifying data. The purpose of this processing is to better inform at a system level, the understanding of different diagnostic models rather decisions relating to you.
We may share your information in the following circumstances:
- Within the iRhythm Group when needed to support our processing of your personal data.
- iRhythm may provide personal data to third parties including our vendors, partners and service providers (e.g. cloud service providers) who perform services on our behalf. These providers have limited access to your personal data only to the extent necessary to perform these support tasks on our behalf and subject to the same confidentiality and security safeguards as those applied by iRhythm.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements
We are responsible and remain liable for the processing of personal data we receive, including where this involves an International Transfer of personal data or if we subsequently transfer to a third party acting as an agent on our behalf as described further below.
In accordance with United Kingdom’s data protection law(s), iRhythm will transfer only necessary personal data to its independent diagnostic testing facility in the United States and may share details of specific enquiries, reports or complaints received with the iRhythm US support team, in each case subject to applicable legal and supplemental safeguards.
Approved Standard Contractual Clauses and Supplemental Safeguards
iRhythm Ltd. has executed approved Standard Contractual Clauses (SCCs) with iRhythm Inc. in order to provide adequate data protection for this data transfer. iRhythm also seeks to apply supplemental safeguards in support of the use of legal data transfer mechanisms, including pseudonymization of transmitted Zio patch data (using a patch serial number rather than a direct patient identifier) and encryption of transmitted data. iRhythm Ltd. will keep under review the continued adequacy of any data transfer arrangement with iRhythm Inc.
Privacy Shield –
Please note, we no longer rely on Privacy Shield to transfer personal data originating in the United Kingdom or EEA but will continue to abide by the privacy commitments made under our existing Privacy Shield certification.
We comply with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Please see https://www.privacyshield.gov/list for more information about our certification.
Our privacy shield notice is available at https://www.privacyshield.gov/list.
Although the Court of Justice of the European Union (CJEU) ruled in July 2020 that the EU-US Privacy Shield is no longer a valid mechanism for transfers of personal data from the European Union (EU) to the U.S., the same ruling, however, confirmed that SCCs remain a valid legal mechanism to transfer personal data outside the EU. iRhythm’s use of SCCs as described above is intended to follow this ruling.
How long will your information be used for?
We retain personal data for the length of your use of the Zio service and as necessary to meet our contractual obligations, to identify issues or to resolve legal proceedings. We may also retain aggregate information beyond this time for research purposes and to help us develop and improve our services. You cannot be identified from aggregate information retained or used for these purposes.
Your rights in connection with personal data
You have the right under certain circumstances:
- To be provided with a copy of your personal data held by us
- To request the rectification or erasure of your personal data held by us
- To request that we restrict the processing of your personal data (while we verify or investigate your concerns with this information, for example)
- To object to the further processing of your personal data
- To request that your provided personal data be moved to a third party
Where the processing of your personal data by us is based on consent, you have the right to withdraw that consent by contacting us, your doctor or hospital. The possible consequences of this will be explained to you and could include delays in diagnosis, care or treatment that the Zio service supports.
Contacting iRhythm and resolving disputes about your information
Additionally, any inquiries or complaints regarding how we handle your personal data under Privacy Shield should be addressed to firstname.lastname@example.org. If we are unable to resolve your complaint, you may submit it free of charge to an independent third-party dispute resolution service based in the U.S at https://feedback-form.truste.com/watchdog/request.
If your complaint is not satisfactorily resolved by either iRhythm or the third-party resolution service, you may, under certain conditions, pursue binding arbitration through the Privacy Shield Panel at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.
If your request or enquiry relates to a UK related data protection query and is not satisfactorily resolved by us, you may approach the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
iRhythm is subject to the investigation and enforcement actions of the Federal Trade Commission (FTC). iRhythm may be required to share your personal data, including the disclosure of EU personal data, to public authorities and law enforcement agencies in response to lawful requests, including requests to meet national security and law enforcement requirements.
Get in touch
Need more information on the Zio service?
We’re here to help. Please fill out this short form and a representative will follow up with you to answer any questions you may have.