RESEARCH PARTICIPANT PRIVACY POLICY

Revised Date: October 11, 2023

BEESY, LLC is committed to protecting the privacy and security of your personal information. This comprehensive Privacy Policy explains how we collect, use, share, and protect personal information (PII) about you when you participate in our market research studies and how we handle Protected Health Information (PHI) as a business associate of covered entities under HIPAA regulations. We conduct various types of research, including pharmaceutical, medical device, and healthcare-related studies.

BEESY conducts healthcare primary market research globally, with a particular focus on the United States and European Union. We comply with all applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and all other relevant state and federal laws in the United States. We strive to conform our privacy practices to applicable laws and regulations, and the codes of standards of applicable market and opinion survey research associations, including, without limitation, Insights Association, ESOMAR, BHBIA, and EphMRA.

This Privacy Policy applies to all personal information collected during your participation in our research studies, whether online, by telephone, or in person. It does not cover information collected through other means or for other purposes.

Key Definitions: PII vs. PHI

It’s important to understand the difference between Personally Identifiable Information (PII) and Protected Health Information (PHI):

Personally Identifiable Information (PII): This is any information that can be used to identify an individual. It can include direct identifiers like name and contact information, as well as indirect identifiers like demographic data and professional information when combined. Examples of PII include name, address, email, phone number, IP address, and online identifiers.

Protected Health Information (PHI): This is a subset of PII and includes any individually identifiable health information that is created, received, used, or maintained by a covered entity (like a healthcare provider) or its business associate (like BEESY). PHI relates to an individual’s past, present, or future physical or mental health condition, the provision of healthcare, or the payment for healthcare. PHI is protected under the Health Insurance Portability and Accountability Act (HIPAA). PHI includes not just medical records but also billing information, insurance details, and conversations with healthcare providers. Removing the following 18 identifiers can result in “de-identified” data, which has different rules under HIPAA.

Information We Collect

We only collect the *minimum* amount of information necessary for research purposes. This includes:

  • Survey and other research data collected from you
  • Data we obtain from secondary sources that track certain kinds of data within the healthcare industry
  • Personal Data (PII)
  • Protected Health Information (PHI)

Types of Personal Information (PII)

We may collect the following types of personal information about you:

  • Contact information (e.g., name, email address, phone number, postal address)
  • Demographic information (e.g., age, gender, ethnicity, education level)
  • Professional information (e.g., medical specialty, years of experience, place of work)
  • Health-related information (e.g., medical conditions, treatments, prescribing habits)
  • Opinions and feedback provided during research studies
  • Technical information (e.g., IP address, device type, browser type)
  • Audio or video recordings of research sessions (with your explicit consent)

For physicians and healthcare providers, this may include numbers such as a US Medical Education Number assigned by the American Medical Association (ME Number), state license numbers, or National ID numbers that immediately reveal your identity.

From time to time, we may also collect sensitive personal data, including health information (such as specific medical conditions, treatments, or genetic information) and financial information (such as bank account details used for incentives).

Protected Health Information (PHI)

PHI is personally identifiable health information in any form, including orally, written, and electronically. PHI includes the following 18 unique identifiers:

  • Name
  • Specific dates (birth, admission, discharge, death)
  • Telephone numbers
  • Social security number(s)
  • Medical record number
  • Photographs
  • City, zip code, and other geographic identifiers
  • Fax numbers
  • Electronic mail addresses
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Any other unique identifying number, characteristic, or code that could identify the individual

We will always collect your Personal Data and PHI by fair and lawful means.

How We Collect Information About You

When collecting personal information from you, BEESY will explain the purpose of collecting the information and will answer any questions you may have. Your participation is always voluntary, and you have the right to refuse or withdraw your consent at any time. BEESY, LLC and its employees collect data through a variety of means including but not necessarily limited to surveys, phone and in-person interviews. Some of your information may be collected from other sources such as third-party recruitment firms.

How We Use Your Information

When you participate in one of our surveys or other research programs, we combine the information you provide with the information of all other research participants and report aggregate responses. Individual responses are combined with those of other participants to create summary data, ensuring that no individual’s personal information is identifiable. Additionally, we may use data we collect in statistical modeling to better understand trends among the general population. When we conduct such statistical modeling, we never release your Personal Data. Data is only used for research purposes and not for marketing, sales, or other unrelated activities.

We use your personal information for the following purposes:

  • To conduct market research studies and analyze results
  • To verify your eligibility for participation in our studies
  • To communicate with you about research opportunities and study logistics
  • To process honoraria or incentives for your participation
  • To improve our research methodologies and services
  • To comply with legal and regulatory requirements
  • To update our records of your Personal Data
  • To manage our incentive programs and fulfill your requests for such incentives
  • To allow you to participate in sweepstakes (if permitted)
  • To report safety data
  • To respond to any messages or requests you may send to us
  • To provide service and support to you and as otherwise authorized by you

We only use your Personal Data for the conduct of research and for no other purpose. We do not use the contact information we receive about you for any direct marketing activities, nor do we share your contact information with third-party vendors for the purposes of marketing activities.

Please note that receiving email communications may be a requirement of your participation in our surveys or other research programs. You can opt out from receiving these emails by unsubscribing from the survey or other research program.

What We Do Not Do With Your Information

We only disclose aggregated and de-identified survey responses to our customers. Individual responses are combined with those of other participants to create summary data, ensuring that no individual’s personal information is identifiable. We may share de-identified information with our clients; however, patient confidentiality is protected. We do not disclose protected health information about you to our clients without your prior written consent. We do not sell, rent, or lease your personal information to third parties.

Legal Basis for Processing (EU/UK Participants)

For participants in the EU or UK, we process your personal information based on the following legal grounds:

  • Your consent, which you can withdraw at any time
  • Our legitimate interests in conducting market research and improving our services
  • Compliance with legal obligations

Data Sharing and Transfers

We may share your personal information with:

  • Our clients (in anonymized or aggregated form only)
  • Service providers who assist us in conducting research (e.g., survey platforms, transcription services)
  • Legal and regulatory authorities, when required by law

We may disclose your Personal Data and/or survey responses or other research data to third parties as follows:

  • In accordance with Insights Association guidelines, we may provide your Personal Data to a third party, including the client who commissioned the survey or research program activity you participated in, so long as such third party is contractually bound to keep the information confidential and use it only for research or statistical purposes
  • In connection with our services (including our incentives programs) to our service providers, including information technology hosting providers, cloud service providers, market research service providers, our agents, contractors or partners; provided, however, that the use of your Personal Data is limited to that required to provide services to BEESY
  • In connection with the request or requirement of any lawful request by public authorities, to meet national security or law enforcement requirements
  • Pursuant to required legal process, to the related compelling party
  • When we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with suspected or actual illegal activity
  • In connection with the sale, assignment, or other transfer of BEESY, in which case we will require any such buyer to agree to treat Personal Data in accordance with this Privacy Notice
  • As otherwise authorized by you

BEESY is based in the United States and may transfer your personal information to countries outside your country of residence. We implement appropriate safeguards to protect your information when transferred internationally, including standard contractual clauses approved by the European Commission.

BEESY will require others who acquire or provide Personal Data to BEESY, including those engaged to provide support services, to adopt and comply with the principles in this Privacy Notice. BEESY acknowledges its potential liability in cases of onward transfers to third parties.

Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or to comply with legal requirements. Typically, we retain research data for up to 6 years after the completion of a study, unless a longer retention period is required by law or our clients. After the retention period, we securely anonymize and delete research data unless legally required to retain it.

We may maintain Personal Data or machine identifiable information in order to satisfy your requests and/or BEESY’s business requirements. For instance, we may retain the email addresses of persons who opted out, or requested to be removed from, a survey or other research program to ensure we conform to such wishes.

Your Rights

Depending on your location, you may have certain rights regarding your personal information, including:

  • The right to access your personal information
  • The right to correct inaccurate information
  • The right to erasure (“right to be forgotten”)
  • The right to restrict processing
  • The right to data portability
  • The right to object to processing
  • The right to withdraw consent

If you withdraw from a study, BEESY will stop contacting you for research. Unless otherwise required by law, we will also delete or de-identify any previously provided data upon request.

To exercise these rights or for any privacy-related inquiries, please contact our Compliance Officer at [email protected]. We will provide a form or instructions via email on how you can easily exercise your rights. If you transfer data internationally, we use Standard Contractual Clauses to ensure data protection.

Security Measures

BEESY implements appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include data encryption (in transit and at rest), access controls and authorization procedures, regular security audits and vulnerability assessments, and employee training on data privacy and security.

In the event of a data breach, we will notify affected individuals as required by applicable data breach notification laws. We will take steps to mitigate the impact of the breach and prevent future occurrences.

For more info, contact our Head of Product Engineering [email protected]

Healthcare Professional Payment Disclosure Requirements

Our incentive program is administered in accordance with all applicable laws and practices. Under these regulations, certain payments to healthcare professionals may be subject to reporting to the respective bodies, who will make the details available for public viewing on their website. These details can include the value of the incentives redeemed, the personal details of the recipient, and the subject matter associated with each payment. If such disclosure is required for one of our surveys or research programs, we will advise you as part of the consent process for that specific survey/program. To learn more, please contact us at [email protected].

Disclosure of Safety Data

BEESY is obligated by contractual agreements with our clients to disclose any safety data (Adverse Events/Product Quality Complaints) that is reported about a medical product. An Adverse Event is any unexpected experience that occurs while a person is on treatment or within a pre-specified time period after treatment has been completed. A Product Quality Complaint is any deficiency associated with the product which can include packaging errors, unusual changes in appearance, taste, or smell, and other issues.

If you disclose safety data to us, we will report to the client for whom the research is being conducted only the minimal amount of non-personally identifying information about the affected individual as is needed to satisfy the US Food and Drug Administration (FDA) and other equivalent global regulatory agency requirements. We will obtain your consent before disclosing your name and contact information to the client for follow-up purposes, except in Germany where only anonymous reports will be submitted.

Automated Data Collection

We may automatically collect machine-readable information about you, including:

  • Date and time of website visits
  • Pages visited
  • Referring website
  • Browser and operating system type
  • IP address and domain name of your Internet service provider

We may use cookies, web beacons, log files, and digital fingerprinting technology to collect and analyze data about your participation in our research activities. You can adjust your browser settings to manage cookies, but this may affect your user experience.

For more info, check out our Website Privacy Policy at https://beesystrategy.com/privacy-policy/

Information from Patient Record Studies

For physicians and healthcare providers, we may request non-personal information from patient records during surveys or interviews. We apply strict confidentiality and security standards to this data and do not collect or retain any personal data about individual patients.

Children’s Privacy

We do not allow individuals younger than 18 years of age to participate in our research unless verifiable consent has been given by their parents or legal guardians. For children under 13, we comply with the Children’s Online Privacy Protection Act of 1998 (COPPA) and obtain parental consent before participation in online research studies.

HIPAA Compliance

As a business associate of covered entities, BEESY is legally required to comply with HIPAA regulations when handling Protected Health Information (PHI). We will comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (the “Privacy Rule”, 45 C.F.R. Parts 160-64), when handling PHI as required by law. We will report any unauthorized use or disclosure of PHI to the covered entity. We also ensure that our subcontractors or third parties also comply with HIPAA requirements.

As part of business practices related to market research, BEESY may receive Protected Health Information or collect, use, or maintain PHI on behalf of covered entities. PHI is confidential information specific to individual patients. BEESY is accountable and responsible for PHI under its control. As such, BEESY will comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (the “Privacy Rule”, 45 C.F.R. Parts 160-64), when handling PHI as required by law.

Definitions

  1. Business Associate: “Business Associate” shall mean BEESY, LLC and shall also have the meaning given to such term under the Privacy Rule, including 45 C.F.R. § 160.103. BEESY will comply with the HIPAA Security Rule and Breach Notification Rule, in addition to the Privacy Rule.
  2. Covered Entity: “Covered Entity” shall mean any BEESY, LLC client(s) and shall also have the meaning given to such term under the Privacy Rule, including 45 C.F.R. § 160.103.
  3. Third-Party: “Third-Party” shall mean any vendor or subcontractor to BEESY, LLC.
  4. Privacy Rule: “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45CFR Part 160 and Part 164, Subparts A and E.

We review and update our privacy policy annually or as needed and will notify users of any material changes.

If you have any questions or concerns about our privacy practices, please contact us at [email protected]

Luka Dragutinovic
[email protected]
BEESY, LLC
300 Main St Ste 21 PMB #1200
Madison, NJ 07940