Effective date: September 9, 2021
Boston Scientific's mission is to improve the quality of patient care and the productivity of health care delivery through the development and advocacy of less-invasive medical devices and procedures. As part of this mission, Boston Scientific designed and implemented the LATITUDE Patient Management system (LPM). The LPM allows healthcare providers to remotely monitor Boston Scientific implantable cardiac medical devices.
It is the policy of Boston Scientific to comply with all applicable laws governing the processing of personal information, including those associated with the safeguarding of sensitive or protected health information. Implementation of this policy is subject to specific laws in the countries where the patients reside.
To transfer personal data from the European Union to the United States, Boston Scientific has implemented the European Commission’s Standard Contractual Clauses between its EU, Swiss and US entities and with its service providers. Additionally, Boston Scientific has additional safeguards in place such as encrypting the data at rest and in transfer. An overview of the suppliers Boston Scientific uses to help support LATITUDE can be found at http://bostonscientific.eu/latitude (under key resources).
Furthermore, Boston Scientific abides by the Generally Accepted Privacy Principles (GAPP), as set forth below:
Boston Scientific has a program designed to protect personal information in its possession or control. This is done through a variety of privacy and security policies, processes and procedures. This program is overseen by Boston Scientific’s Chief Privacy Officer.
Boston Scientific, through this policy, provides notice about its privacy practices. If Boston Scientific changes this policy, it will highlight the changes for at least 30 days.
In addition to this policy, the personal information handling practices are also governed by the privacy policies of the LATITUDE-participating healthcare providers.
Choice and consent:
Boston Scientific relies on the healthcare provider to provide patients the ability to choose, where applicable, how personal information is handled.
Compliance with EU General Data Protection Regulation 2016/679:
Boston Scientific subsidiary Guidant Europe N.V./S.A., located in Belgium, is the designated data controller for the LATITUDE system in Europe. Guidant Europe N.V./S.A. determines the means and the purpose of the LATITUDE system and associated data and is registered with the Belgian Data Protection Authority.
In some EU countries or with some clinics, Guidant Europe will only be recognized in a processor role, which will be in any case clarified in the contract with the clinic.
Patient consent is a cornerstone of protecting the rights of LATITUDE patients. Boston Scientific relies on clinics to inform potential users about the LPM system and Boston Scientific’s role and collect the associated consent. Boston Scientific requires each clinic that they work with to sign an agreement detailing the modalities by which patient consent is obtained. These agreements, known as Data Processing Agreements, establish mutual obligations regarding the processing of personal data between the parties.
Boston Scientific collects personal information for the purpose of providing remote monitoring services for patients who have certain models of Boston Scientific implantable cardiac medical devices and have been enrolled in LPM through their healthcare provider. The types of personal information collected may include:
- Full name
- Date of birth
- Device model and serial numbers
- Telephone number
- E-mail address
- Health-related information, including cardiac condition and data relating to and generated by the patient's cardiac device: such as device settings and status indicators; health data, including various types of cardiac measurements and events, and measurements from external sensors
- Business contact information such as first and last name, title, telephone number, e-mail address, and postal address
- LPM credentials andbrowser information such as client IP address, client browser, client OS version. This data is written to log files and not to the Latitude database. The logs are retained for 2 years.
Use, retention, and disposal:
Boston Scientific uses personal information for the management of its remote monitoring services, which includes customer and technical support, system maintenance, data compilation and analysis, data hosting, event reporting, program analysis and maintenance as well as internal reporting and to comply with reporting obligations to regulatory health authorities.
Boston Scientific retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information. Boston Scientific will keep personal information of patients for as long as they are equipped with the medical device and enrolled in the System and for up to six (6) years after their device has been taken out of service, unless a longer retention period is necessary to comply with a legal or regulatory obligation. Personal information related to healthcare professionals will be maintained for so long as LPM services are provided or requested, as necessary for Boston Scientific's legitimate business purposes, or as required by law. Clinic administration is responsible for managing access to the LPM platform.
Access to Personal Information:
Employees of Boston Scientific that are authorized shall have access to healthcare provider personal information and that of enrolled patients in order to operate and support the application and the LPM. Boston Scientific recommends that patients work directly with their physicians to review their LPM data, so that medical staff may assist the patient in interpreting the data. Boston Scientific will provide access to personal information upon request in accordance with applicable law.
Disclosure to third parties:
Boston Scientific discloses personal information to the participating healthcare providers for remote monitoring of Boston Scientific implantable cardiac medical devices. Boston Scientific may also disclose personal information to third parties as needed to manage the remote monitoring services or as permitted or required by law. These third parties are required to handle personal information in a confidential manner and to maintain adequate security to protect the information from loss, misuse, unauthorized access or disclosure, alteration, and destruction.
Security of your personal information:
Boston Scientific employs administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the personal information that it creates, receives, maintains, or transmits. The LPM system is designed to coordinate the management of patients and their personal information between the clinics and Boston Scientific, while minimizing risk of exposure to this data. Boston Scientific employees are bound by confidentiality requirements and receive appropriate training on their responsibilities. Boston Scientific regularly tests and monitors the effectiveness of its safeguards, controls, systems and procedure on the LPM system. The system complies with the ISO/IEC 27001:2013 information security management standard as well as ISO/IE 27018:2014. LPM data is encrypted during transport and at rest in accordance with Boston Scientific’s requirements.
Boston Scientific maintains accurate, complete, and relevant personal information for the purposes of providing remote monitoring services. Boston Scientific relies on data integrity tools and processes along with timely and accurate updates from health care providers to ensure data quality.
Monitoring, enforcement and privacy rights:
Boston Scientific monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes. To ask questions about Boston Scientific’s privacy practices, to lodge a complaint, submit a patient access request, or submit a data subject request (including those granted under Art. 15 to 22 of the General Data Protection Regulation (and of the UK GDPR Act)), please contact our Global Privacy Office or our European Data Protection Officer through the methods listed below.
Boston Scientific Corporation
Global Privacy Office/Legal
300 Boston Scientific Way
Marlborough, MA 01752 (USA)
E-mail: GlobalPrivacy@bsci.com or via our Data Subject Request Form
For inquiries in the EU/EEA:
Boston Scientific Corporation
Attn: EU Data Protection Officer
c/Ribera del Loira, 46 Edificio 2
28042 Madrid (Spain)
E-mail: EuropePrivacy@bsci.com or via our Data Subject Request Form
Finally, in the EU/EEA and the United Kingdom you have the right to lodge a complaint with the data protection authority of your country (see list here: https://edpb.europa.eu/about-edpb/board/members_en ) where you believe that your rights have been violated.
California Privacy Rights:
The Boston Scientific Privacy Notice for California Residents provides additional information for California residents under the California Consumer Privacy Act of 2018 (CCPA).