Policies
Privacy Notice
For Healthcare Providers

This notice explains uMed's role as a Business Associate under HIPAA. uMed is never a Covered Entity and never acts as an independent data controller. All processing of protected health information (PHI) occurs solely under your direction and within the terms of your signed Business Associate Agreement (BAA) — whether held directly with uMed or through your EHR network partner.

Who is uMed?

uMed Technologies Inc., a Delaware corporation (uMed) is a clinical research and health technology company. uMed works with healthcare providers, IRB-approved research studies, and patient registries to identify and invite potentially eligible patients to participate in approved medical research.

uMed operates exclusively as a Business Associate under HIPAA (45 CFR § 164.504(e)). Your organization, as the Covered Entity, retains control over your patients' PHI at all times. uMed processes PHI only as permitted by the applicable BAA and your instructions.

Principal place of business and mailing address: PO Box 726, 241 Arlington Street, Acton, MA 01720-2200, USA

 

How uMed Connects with Your Organization

uMed Technologies Inc. operates exclusively as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). Your organization remains the Covered Entity and retains full control over your patients’ protected health information (PHI) at all times.

uMed offers two options for connecting with your organization:

Option 1 — Roster Model (requires a Business Associate Agreement)

Your organization shares a patient roster file containing limited PHI with uMed. This can be done in one of two ways:

- Direct BAA: Your organization signs a Business Associate Agreement (BAA) directly with uMed.

- Via Network Partner: Your organization already has a BAA with an EHR network partner (such as WellSky). In this case, uMed operates as a subcontracted Business Associate under the network partner’s existing BAA, in accordance with 45 CFR § 164.504(e).

Under this option, uMed performs eligibility screening and contacts approved patients on your behalf after your organization has reviewed and approved the list.

Option 2 — Patient Self-Registration Model (no BAA required)

uMed provides your organization with a secure link that can be sent directly to eligible patients (via email, SMS, or other approved method).

Patients click the link and complete registration, eligibility screening, and informed consent directly on the uMed platform. This option does not require a direct Business Associate Agreement with uMed and involves minimal ongoing involvement from your practice staff.

In both options, uMed processes only the minimum necessary PHI and in full compliance with applicable law and your organization’s instructions as the Covered Entity. No PHI is shared with researchers until the patient has provided explicit informed consent and HIPAA authorization.

Your Organization's Responsibilities Under the BAA

As the Covered Entity, your organization is responsible for:

- Ensuring patients receive appropriate notice that their information may be used for research identification purposes, consistent with your Notice of Privacy Practices (NPP)

- Authorizing uMed (directly or via your network partner) to process PHI only as necessary to perform the specific functions, activities, or services described in the applicable Underlying Service Agreement(s).

- Reviewing and approving eligible patient lists before uMed initiates any patient contact

- Ensuring your use of uMed's services is consistent with all applicable IRB approvals and ethics committee conditions

- Notifying uMed promptly of any changes to your data sharing permissions or patient opt-out registrations

 

How uMed Contacts Patients

On your behalf and under your authorization, uMed may contact patients via:

- Letter or postcard issued on behalf of your organization

- Telephone call from our trained research nurses

- Secure email

- SMS/text message (where the patient has provided a mobile number)

All outreach prior to consent is conducted as a preparatory to research activity under HIPAA (45 CFR § 164.512(i)(1)(ii)). No PHI is shared with researchers until the patient has provided explicit informed consent and HIPAA authorization (45 CFR § 164.508).

SMS messages comply with the Telephone Consumer Protection Act (TCPA). Patients may opt out at any time by replying STOP to any message.

uMed's Security Obligations as Your Business Associate

uMed is contractually and legally required to:

- Implement appropriate administrative, physical, and technical safeguards in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C)

- Use PHI only for the approved research or registry purpose specified in the BAA

- Require all subcontractors (e.g., secure cloud providers such as AWS) to sign BAAs and meet the same protection standards

- Report any breach of unsecured PHI to your organization without unreasonable delay, in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D)

- uMed will return or securely destroy all PHI upon termination of the applicable service agreement, within the timeframe required by the Business Associate Agreement.

uMed is ISO 27001:2022 and ISO 9001:2015 certified. All systems use AES-256 encryption at rest and in transit (TLS 1.2 minimum), multi-factor authentication, and strict role-based access controls.

Patient Rights and Your Obligations

Your patients' HIPAA rights — including the right to access, amend, restrict, or obtain an accounting of disclosures of their PHI — are exercised through your organization as the Covered Entity, not through uMed directly.

Your organization should ensure your Notice of Privacy Practices (NPP) accurately reflects your use of uMed as a Business Associate for research identification purposes.

Patients may opt out of uMed contact at any time by:

- Contacting uMed directly at dpo@umed.io or replying STOP to any SMS

- Notifying your organization, which should update the roster or contact uMed accordingly

uMed maintains a permanent Opt-out list. Once added, a patient will not be contacted about any future study or registry unless they actively opt back in.

Applicable Law and Additional State Requirements

All processing is conducted in accordance with HIPAA, the HITECH Act, and applicable US state privacy laws. Where patients are located in states with specific requirements, uMed will comply with those requirements, including:

- California: Confidentiality of Medical Information Act (CMIA) and CCPA/CPRA

- New York: SHIELD Act

- Other applicable state health privacy statutes

uMed does not sell patient data. uMed does not use patient data for marketing or any purpose beyond the approved research or registry activity described in the BAA.

Contact

For questions about this notice, your BAA, or uMed's data handling practices, please contact:

uMed Technologies Inc.

Privacy Officer  |  Email: dpo@umed.io  |  US toll-free: +1 888-454-5580

Post: PO Box 726, 241 Arlington Street, Acton, MA 01720-2200, USA

Your patients may also file a complaint with the US Department of Health and Human Services Office for Civil Rights (OCR) at ocrportal.hhs.gov. Your organization and its patients will not be penalized for filing a complaint.

Changes to This Notice

This notice may be updated periodically. 

Last updated: May 27, 2026

Navigation
HomeAbout usCase studiesNews & InsightsCareersContact us
Platform
CohortsStudy ServicesCollectRecruitSpanACCESSSnapACCESS
Platform
Access CMDAccess PDAccess ILD
Legal
View UK SiteView US SiteSecurity & Privacy
Privacy Notice
Terms & Conditions
Patient Privacy Notice
SMS Terms & Conditions
Cookie Policy
By signing up you agree to our Privacy Policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.