Collection, Use and Security of Personal Information
A. AHA Collection of Personal Information
1. The AHA will collect Personal Information on an individual only if the individual provides the information to the AHA. The AHA also may collect information about a person who has been referred to the website to send them emails regarding AHA’s efforts or a person to whom the AHA has been asked to send emails regarding AHA’s programs or efforts. If a person donates to the AHA, the AHA may collect sensitive Personal Information such as the donor’s credit card number, card type, expiration date and keep a record of the financial transaction.
The AHA may collect Demographic Information it obtains from individuals and third parties for fund raising purposes and to notify persons of AHA programs, events, educational opportunities and upcoming meetings.
The AHA may collect Aggregate and Transactional Information and add to its database every time a person visits an AHA Web Site. Also, the AHA collects Aggregate Information for research purposes.
2. Types of information: "Personal Information" is "Demographic Information" and/or "Medical Information" which identifies a specific individual with a minimal degree of effort. Demographic Information includes name, address, city and other similar information. Medical Information includes diseases, treatments, lifestyle behaviors, family history, genotype, phenotype and other similar information. Transactional Information is data collected on an individual based on the individuals' interactions with the AHA, which may include sensitive information such as credit card information and Medical Information. Aggregate Information is information presented in summary or statistical form which does not contain data that would permit the identification of a specific individual without extraordinary effort.
B. AHA Use of Personal Information
1. When an individual provides Personal Information to the AHA, the AHA may use the Personal Information for its programs, research and fund raising.
2. The AHA uses Transactional Information for research purposes for the development or implementation of its programs, products and services. The presumption is that, since Transactional Information is highly proprietary, it will not be disclosed to third parties.
3. The AHA will disclose all information as required by law.
4. The AHA will make every effort to discontinue the use of an individual's Personal Information as soon as practicable if requested by that individual. The AHA may need to retain Information in its archives and records to comply with law, resolve disputes, analyze problems, assist with any investigations, enforce AHA’s User Agreement and other policies, and take other actions otherwise permitted or required by law.
C. Specific Requirements
a. The AHA will take reasonable and appropriate measures to keep Personal Information confidential and in a secure environment, including taking appropriate action in the event of unauthorized disclosure.
b. Access to Personal Information will be restricted to only those personnel with a legitimate business purpose.
c. The AHA owns all Personal Information provided to it by individuals and collected in accordance with this Policy. When an individual provides Medical Information to the AHA, the AHA will ensure that the individual acknowledges their assignment of the right to use the data to the AHA.
2. Scientific Research
Any research funded by the AHA that involves human subjects (e.g., information collected on individuals) must be endorsed by the sponsoring institution's committee on clinical investigation or other appropriate body, and conform ethically to the guidelines prescribed by the National Institutes of Health, which includes obtaining informed consent from each individual.
3.Third Party Disclosure
Permission is required before the AHA discloses Personal Information to a third party. No permission is necessary for Aggregate Information, since Aggregate Information does not identify a specific individual.
a. For disclosure of Demographic Information (e.g., rentals or exchanges of donor lists), the AHA as a minimum will use the "Opt Out" approach. An "opt-out" is obtained when the AHA through some correspondence gives an individual the opportunity to decline or "opt-out" of disclosures to third parties. If the individual does not opt out, permission is deemed granted. Depending upon the nature of an activity or project, a higher standard than "opt-out" may be used, such as "opt-in" whereby an individual must affirmatively give consent before information is disclosed.
b. For research awardees, permission is deemed granted upon submission of an application for a grant to the AHA. Therefore, the AHA may disclose Personal Information, including funding and project summary information, on research program awardees to third parties.
c. For disclosure of Medical Information, Informed Consent is required before the AHA discloses Medical Information to a third party. Informed Consent occurs when an individual has sufficient facts about the disclosure, comprehends those facts, and voluntarily consents to the disclosure. Where a third party such as the employer or healthcare provider of an individual requires the individual to participate in an AHA program which collects Medical Information, the AHA will require the employer or healthcare provider to procure Informed Consent before the AHA will release Medical Information to that employer or healthcare provider.
d. From time to time, there is a benefit in allowing a third party to use collected Personal Information on individuals. However, unless an individual gives permission, the AHA will not disclose Personal Information collected by the AHA to any third party. The AHA sometimes engages third parties to provide certain operational services to the AHA or on its behalf. The AHA may disclose Personal Information to those third parties on a “need to know” basis under a written contract.
e. The AHA uses and allows third parties to use Aggregate Information for research purposes for the development or implementation of its programs, products and services.