Patient Notice
Patient Notice
Effective June 2024
iRhythm Technologies Ltd. and iRhythm Technologies, Inc. ("iRhythm™"), care about your confidentiality and privacy rights and comply with data protection laws to keep your information safe. Please read this patient notice carefully before returning it with your Zio™ monitor to iRhythm.
By returning the Zio monitor to us, you acknowledge that you have read and understood this patient notice (as contained in the Zio booklet).
Your doctor has prescribed the Zio service for you. iRhythm provides the Zio service, which includes long-term heart monitoring and evaluation. Your doctor will, with your consent, start the Zio service by attaching an adhesive monitoring device to your chest. This device will collect your heart rhythm data. Your doctor will collect identification information such as your name, address and date of birth to safely identify your resulting heart rhythm report, and register it on iRhythm’s physician portal. Your heart rhythm data will be sent to iRhythm when you return the Zio patch by post.
iRhythm receives and processes your personal data in confidence to help create a report of the findings. Only iRhythm, your doctor and hospital will have access to this report for the purpose of supporting your direct care. iRhythm may also replace your direct identifying information with a reference number and study your heart rhythm data for two reasons: (i) reporting to your doctor and (ii) improvement of iRhythm services.
How to contact iRhythm
You have the right to object to the disclosure of your personal data. If you wish to do so, or have any question about the processing of your data, please contact the iRhythm Privacy Official through via email at privacy@irhythmtech.com or by calling from Austria 0800018108, from Netherlands 08000221642, from Spain 900751451, from Switzerland 0800562826. Please also consult your doctor regarding his or her privacy practices.
Calls may be recorded or monitored for training and quality purposes with callers notified prior to being connected with a call handler. When necessary, calls made outside of normal UK working hours may be diverted to iRhythm's support team in the United States.
2. Data protectionHere we explain how iRhythm collects and uses your personal data and heart rhythm data during and after your use of the Zio service.
How will iRhythm use personal data it receives about you?
iRhythm processes your personal data as a data controller for the following purposes and on corresponding lawful basis in connection with providing the Zio service.
Your personal data will be used for the purposes set out in this patient notice. If iRhythm needs to use your personal data for an unrelated purpose not set out in this patient notice, we will notify you and where relevant, obtain your consent.
Purpose |
Lawful basis (personal data) |
Lawful basis (special 'sensitive' category data) |
Provision of diagnostic services supported by our use of AI to improve diagnostic accuracy and patient safety. See 'Our use of AI' below, for more information. |
Legitimate interest in your health care and in supporting clinical treatment decisions. |
Providing preventative medicine and diagnostic services by supporting medical diagnosis for the purpose of healthcare treatment. |
Improving the quality of diagnostic services including our use of AI to improve diagnostic accuracy and patient safety. See 'Our use of AI' below, for more information. |
Legitimate interest in your health care and in supporting clinical treatment decisions. |
Management of systems and services providing preventative medicine and diagnostic services. |
Statistical analysis and reporting. |
Legitimate interest in research improving diagnostic and clinical treatment decisions. |
Research and statistical purposes. |
Clinical standards and reporting. |
Complying with legal obligations to which we are subject. |
Public interest in the area of public health necessary for maintaining standards relevant to healthcare and medicinal products. |
Patient protection. |
Necessary in any emergency situation in order to protect your vital interests (or the interests of another person). |
Necessary in any emergency situation to protect your vital interests (or the interests of another person). |
Assessing, responding to and reporting on patient enquiries, experience, complaints and feedback, including calls to iRhythm’s Customer Support Team. |
Necessary for our legitimate interest in service delivery and improvement. Necessary to assess and comply, where applicable with legal obligations. |
Where volunteered by you with consent. Public interest in the area of public health necessary for maintaining standards relevant to healthcare and medicinal products. |
iRhythm may also be engaged by a health care provider to process your personal data on its behalf as a data processor. In these instances, iRhythm will process your personal data only as instructed by the data controller, as set out in a contract between iRhythm and the data controller, and as required by applicable data protection law.
Our use of AI
Our use of AI, which follows highly regulated industry standards, helps eliminate the risks of error associated with a purely human review of heart rhythm data. Our diagnostic systems do not use solely automated decision making but support rather than replace, clinician review by drawing upon derived understanding from analysing and comparing thousands of different heart rhythm patterns. This learning helps our software to recognise and flag anomalies for closer inspection by our clinicians, thereby enabling more efficient heart rhythm analysis for faster, more reliable diagnostic outcomes.
We apply rigorous measures to ensure data we use for this purpose is safeguarded under data protection law. Heart rhythm data and associated clinical markers are extracted and processed in a separate environment from your identifying data. The purpose of this processing is to better inform at a system level, the understanding of different diagnostic models rather decisions relating to you.
Data sharing
We may share your information in the following circumstances:
- Within the iRhythm Group when needed to support our processing of your personal data.
- iRhythm may provide personal data to third parties including our vendors, partners and service providers (e.g. cloud service providers) who perform services on our behalf. These providers have limited access to your personal data only to the extent necessary to perform these support tasks on our behalf and subject to the same confidentiality and security safeguards as those applied by iRhythm.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements
We are responsible and remain liable for the processing of personal data we receive, including where this involves an International Transfer of personal data or if we subsequently transfer to a third party acting as an agent on our behalf as described further below.
International Transfers
In accordance with data protection law(s), iRhythm will transfer only necessary personal data to its independent diagnostic testing facility in the United States and may share details of specific enquiries, reports or complaints received with the iRhythm US support team, in each case subject to applicable legal and supplemental safeguards.
Approved Standard Contractual Clauses and Supplemental Safeguards
iRhythm has executed approved Standard Contractual Clauses (SCCs) with iRhythm in order to provide adequate data protection for this data transfer. iRhythm also seeks to apply supplemental safeguards in support of the use of legal data transfer mechanisms, including pseudonymization of transmitted Zio patch data (using a patch serial number rather than a direct patient identifier) and encryption of transmitted data. iRhythm will keep under review the continued adequacy of any data transfer arrangement.
Data Privacy Framework
iRhythm complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. iRhythm has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, iRhythm commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact iRhythm at privacy@irhythmtech.com or by calling from Austria 0800018108, from Netherlands 08000221642, from Spain 900751451, from Switzerland 0800562826..
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, iRhythm commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to TrustArc, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://trustarc.com/dispute-resolution/ for more information or to file a complaint. The services of TrustArc are provided at no cost to you
How long will your information be used for?
We retain personal data for the length of your use of the Zio service and as necessary to meet our contractual obligations, to identify issues or to resolve legal proceedings. We may also retain aggregate information beyond this time for research purposes and to help us develop and improve our services. You cannot be identified from aggregate information retained or used for these purposes.
Your rights in connection with personal data
You have the right under certain circumstances:
- To be provided with a copy of your personal data held by us
- To request the rectification or erasure of your personal data held by us
- To request that we restrict the processing of your personal data (while we verify or investigate your concerns with this information, for example)
- To object to the further processing of your personal data
- To request that your provided personal data be moved to a third party
Where the processing of your personal data by us is based on consent, you have the right to withdraw that consent by contacting us, your doctor or hospital. The possible consequences of this will be explained to you and could include delays in diagnosis, care or treatment that the Zio service supports.
Contacting iRhythm and resolving disputes about your information
You can contact iRhythm about your rights or with any questions about this privacy policy as further described above, by contacting the iRhythm privacy official via privacy@irhythmtech.com or by calling from Austria 0800018108, from Netherlands 08000221642, from Spain 900751451, from Switzerland 0800562826..
Complaint to Data Protection Authority
If your request or enquiry is resolved to your satisfaction, you may approach your supervisory authority for data protection concerns in the following countries:
United Kingdom: Information Commissioner’s Office, https://ico.org.uk/
Austria: Österreichische Datenschutzbehörde, https://www.dsb.gv.at/
Spain: Agencia Española de Protección de Datos, https://www.aepd.es/es
Netherlands: Autoriteit Persoonsgegevens, https://www.autoriteitpersoonsgegevens.nl/
Switzerland: Federal Data Protection and Information Commissioner, https://www.edoeb.admin.ch/
FTC enforcement
iRhythm is subject to the investigation and enforcement actions of the Federal Trade Commission (FTC). iRhythm may be required to share your personal data, including the disclosure of EU personal data, to public authorities and law enforcement agencies in response to lawful requests, including requests to meet national security and law enforcement requirements.
Binding Arbitration
Under certain conditions, you may be able to invoke binding arbitration for complaints regarding iRhythm’s compliance with the Data Privacy Framework not resolved by any of the other mechanisms provided. For more information on binding arbitration for Data Privacy Framework complaints, please visit DPF ANNEX I-Introduction.