Policies
Patient Privacy Notice

Who we are

uMed Technologies Inc. (uMed) is a clinical research and health technology company that acts on behalf of your healthcare provider to support the identification of eligible patients for medical research studies. These studies play a vital role in improving patient care and advancing medical treatments.

uMed operates as a Business Associate of your healthcare provider under a signed Business Associate Agreement (BAA), as defined under the Health Insurance Portability and Accountability Act (HIPAA). Your healthcare provider remains the Covered Entity and data controller for your protected health information (PHI). uMed processes your information only under the direction of your provider and strictly within the terms of the BAA.

Contact: dpo@umed.io 

Post: uMed Technologies Inc., PO Box 726, 241 Arlington Street, Acton, MA 01720-2200, USA

Scope of this privacy notice

This notice is for patients whose healthcare provider has a Business Associate Agreement with uMed, and whose information may be included in a patient roster shared with uMed for the purpose of identifying eligible research participants.

If you are unsure whether your healthcare provider shares data with uMed, please contact your provider directly.

If you are a researcher, member of staff at a healthcare organization, or a user of the uMed website, please refer to uMed's general Privacy Notice at www.umed.io/security-and-privacy for information on how uMed processes your personal data in those contexts.

What information we collect and where it comes from

uMed receives patient roster data shared by your healthcare provider. This data is provided by the provider under the terms of the BAA and is used solely for the purpose of identifying patients who may be eligible for approved research studies.

The information received may include:

- Name

- Date of birth

- Phone number

- Email address

- Demographic information

- Relevant health record information (e.g., diagnosis codes)

On receipt, this data is stored securely within the uMed platform and protected using AES-256 encryption, strict role-based access controls, and comprehensive audit logging. Access is limited to authorized personnel with a legitimate purpose. Any health data shared with researchers following your consent is used in accordance with your explicit informed consent and HIPAA authorization. Identifiable information may be included where permitted by the authorization and the approved study protocol.

Prior to your consent, uMed does not connect directly to your healthcare provider's electronic health record (EHR) system. At this stage, data is provided to uMed by your healthcare provider in the form of a roster file containing limited contact and demographic information. If you choose to consent to participate in a research study, you may be asked to authorize the sharing of relevant data from your electronic health record with uMed and the research team, for the specific purposes of that study only.

Mobile Information and SMS Consent

uMed collects mobile phone numbers solely for the purpose of communicating with you about research opportunities, study participation, appointments, or other healthcare-related matters on behalf of your healthcare provider.

We do not share your mobile phone number or your opt-in consent for SMS/text messages with any third parties or affiliates for marketing or promotional purposes. Your mobile information is used only for the specific purposes described in this notice and in accordance with applicable law, including the Telephone Consumer Protection Act (TCPA).

Legal basis for processing

uMed processes your protected health information (PHI) as a Business Associate of your healthcare provider (the Covered Entity), under the following legal bases:

- Prior to your consent: Processing is conducted under the HIPAA preparatory to research provision (45 CFR § 164.512(i)(1)(ii)), which permits the use of PHI to identify and contact prospective research participants on behalf of the covered entity, without prior patient authorization, provided no PHI leaves the covered entity's controlled environment before consent is obtained.

- Following your consent: Processing is conducted on the basis of your explicit informed consent and HIPAA authorization, in accordance with 45 CFR § 164.508.

- Research activities: All research activities are conducted under IRB-approved protocols in compliance with the US Federal Policy for the Protection of Human Subjects (45 CFR Part 46).

When and how does uMed process my data?

When a research study has received IRB approval, uMed receives a roster file from your healthcare provider and performs an eligibility review based on the study's specific criteria. A list of potentially eligible patients is then reviewed and approved by your healthcare provider before any contact is initiated. Your provider retains final authority over who is contacted.

If you are identified as potentially eligible, uMed will contact you on behalf of your healthcare provider by SMS, email, or letter, inviting you to find out more about the study. Our trained clinical support team is available to answer any questions.

Your explicit informed consent and HIPAA authorization must be obtained before any of your health data is shared with the research team. Following consent, uMed may continue to support the study through engagement surveys and appointment scheduling.

Who can access my data?

Your data is not shared outside the uMed platform without your consent. Access within uMed is strictly limited and role-based. Personnel who may access the platform include:

- Authorized uMed clinical support staff (trained nurses) for the purpose of patient outreach

- Engineering staff for platform maintenance and incident response, under strict access controls

- Auditors conducting compliance reviews

The uMed platform maintains a full audit trail documenting who has accessed the platform and when.

Categories of recipients include: your healthcare provider (for authorization and oversight), approved researchers (post-consent, in accordance with your HIPAA authorization), authorized uMed clinical staff (for outreach), and audited sub-processors such as secure cloud hosting providers operating under BAA.

uMed ensures that any aggregated research outputs or publications use de-identified or anonymized data so that individual patients cannot be identified. Your individual details are fully protected in accordance with your authorization and applicable law.

How do we keep your data secure?

uMed implements appropriate administrative, physical, and technical safeguards to protect your PHI in accordance with HIPAA Security Rule requirements (45 CFR Part 164, Subpart C). These include:

- Encryption and access controls applied from the point of data receipt

- AES-256 encryption at rest and in transit (TLS 1.2 minimum)

- Multi-factor authentication for all platform access

- Strict role-based access controls

- Firewalls and intrusion detection systems

- Regular independent security audits and penetration tests

- ISO 27001:2022 certified information security management

- ISO 9001:2015 certified quality management

No data is shared without your provider's authorization and, where required, your own consent.

Storage and retention

uMed retains your data for as long as a Business Associate Agreement is in place with your healthcare provider, and for as long as required by the terms of any approved research study in which you have enrolled.

Following termination of a BAA, identifiable data is deleted within 30 days. Research data may be retained for longer where required by an approved IRB protocol or applicable law.

uMed retains records of its HIPAA compliance activities in accordance with the HIPAA requirement to retain documentation for a minimum of six years.

International transfers

In the majority of cases, your data is processed and stored within the United States. In limited circumstances, we may use carefully selected sub-processors located outside the US for specific operational support functions. In such cases, uMed ensures compliance through appropriate safeguards, including Standard Contractual Clauses or other mechanisms approved under applicable US and international data protection law. Only minimal and essential information is transferred in such circumstances.

Your rights under HIPAA

As a patient whose PHI is processed by uMed on behalf of your healthcare provider, you have the following rights under HIPAA:

- Right to access: You have the right to request access to your PHI held by your healthcare provider.

- Right to amend: You have the right to request correction of inaccurate or incomplete PHI.

- Right to an accounting of disclosures: You have the right to request a record of disclosures of your PHI made by your healthcare provider or uMed.

- Right to request restrictions: You have the right to request restrictions on how your PHI is used or disclosed.

- Right to confidential communications: You have the right to request that communications about your PHI be made through alternative means or locations.

- Right to a copy of this notice: You have the right to receive a paper copy of this notice at any time.

Because your healthcare provider remains the Covered Entity, many of these rights are most effectively exercised through your healthcare provider directly. Please contact your provider in the first instance for access or rectification requests.

Additional rights for California residents

If you are a California resident, you may have additional rights under the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected about you, the right to delete personal information, and the right to opt out of the sale of personal information. uMed does not sell personal information. To exercise your California rights, please contact us at patientsupport@umed.io.

You can opt out

You are in full control of your data at all times.

If you do not want your information to be processed by uMed, you can opt out at any time by:

- Emailing: patientsupport@umed.io

- Replying STOP to any SMS message you have received from us

You may also exercise your rights under HIPAA, including the right to request restrictions on the processing of your health information, by contacting uMed or your healthcare provider directly.

Opting out of uMed's processing will not affect the care you receive from your healthcare provider.

If you have already consented to participate in a specific research study, you may withdraw your consent at any time by contacting uMed or your healthcare provider. We will stop processing your data and inform the research team. Please note that data already incorporated into completed research analyses may not be able to be removed.

Changes to this privacy notice

This notice may be updated periodically. The current version will always be available at www.umed.io/security-and-privacy. We will notify you of any material changes where we are able to do so.

Contact and complaints

For questions about this privacy notice or how your data is handled, please contact:

uMed Technologies Inc.

Email: dpo@umed.io

If you believe your HIPAA rights have been violated, you may file a complaint with the US Department of Health and Human Services Office for Civil Rights (OCR) at www.hhs.gov/ocr. You will not be penalized for filing a complaint.

We would appreciate the opportunity to address your concerns before you approach a regulatory authority, so please contact us first.

Last updated: May 27, 2026

Navigation
HomeAbout usCase studiesNews & InsightsCareersContact us
Platform
CohortsStudy ServicesCollectRecruitSpanACCESSSnapACCESS
Platform
Access CMDAccess PDAccess ILD
Legal
View UK SiteView US SiteSecurity & Privacy
Privacy Notice
Terms & Conditions
Patient Privacy Notice
SMS Terms & Conditions
Cookie Policy
By signing up you agree to our Privacy Policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.