Privacy Policy – HIPAA


1.1 Introduction

1.2 Definitions

1.2.1 In this policy, unless otherwise indicated by the context: 

(a) “Business Associate” has the meaning given to it in clause 2.2.2(a). (b) “de-identified information” has the meaning given to it in clause 2.3.2. (c) “FSHD” means FSHD Global Research Foundation Limited (ABN 79 128 037 614). 

(d) “PJ Lab” means Peter Jones and Takako Jones Lab forming part of the University of  Nevada, Reno School of Medicine. 

(e) “PHI” has the meaning given to it in clause 1.1.11. 

(f) “Saliva Research Test” means the method of collecting DNA through a person’s  saliva for genetic testing for the purposes of research into a treatment and cure for  Facioscapulohumeral Dystrophy. 

(g) “Saliva Research Test Kit” means the kit issued by FSHD to you and identified in  clauses 2.5 and 3.4 for the purposes of conducting the Saliva Research Test. 

1.3 Privacy Officer

1.3.1 FSHD’s Privacy Officer is responsible for the development and implementation of policies and procedures relating to privacy including this policy, updating such policies and procedures, conducting regular staff training, receiving and responding to questions out FSHD’s privacy policies, handling complaints, maintaining records and responding to any data breaches that occur.

1.3.2 The Privacy Officer can be contacted as follows:
The Privacy Officer
FSHD Global Research
PO Box A296, Sydney South NSW 1235
Sydney NSW 2000

1.4 Safeguards

1.4.1 FSHD has established safeguards to protect the PHI it holds from loss, misuse, interference as well as unauthorised access, modification or disclosure, in breach of the HIPPA requirements. Safeguards include:
(a) ongoing training;
(b) locking of doors and cabinets where PHI is physically stored;
(c) implementation of and regular reviews of internal practices, procedures and systems;
(d) keeping employee access and authorisation up-to-date including secure and strong passwords and individual logins; and
(e) ensuring all devices, virtual private networks and firewalls have necessary updates and the most recent security patches (including to operating systems and antivirus software); and
(f) implementation of multi-factor authentication for remote access systems and resources (including cloud services).

1.4.2 PHI collected is stored:
(a) electronically within an external internet-based server and also an internal server as back up; and
(b) PHI is stored within a password secure CRM program.

1.4.3 PHI collected by FSHD is only accessible by authorised staff members and contractors who may require access in connection with the purposes described in this policy.

1.4.4 FSHD uses a range of hardware and software security measures to protect its information and your PHI.

1.5 Access Authorisation

1.5.1 FSHD grants access to employees based on their employment duties and responsibilities.

1.5.2 The Privacy Officer in collaboration with FSHD’s Chief Executive Officer (CEO) is responsible for determining which individuals require access to PHI and the level of access they require. In the case of employees, access will be limited to senior management. This is determined on a case by case basis.

1.5.3 Once a determination is made in respect of an employee’s authorisation access, FSHD’s CEO, who also acts as FSHD’s internal information technology manager will impose the approved authorisation access levels.

1.5.4 Employees and/or contractors who are authorised to access PHI in accordance with this clause 1.5 will be managed by FSHD’s Chairperson and/or CEO.


2.1 Access to PHI is limited to certain employees

2.2 Use and Disclosure of PHI

2.2.1 For the purposes of this clause 2.2, these words have the following meanings: 

(a) “use” means the sharing, employment, application, utilization, examination or analysis  of individually identifiable health information by any person working for or within FSHD,  or a Business Associate of FSHD.


(b) “disclosure” means any release, transfer, provision of access to, or divulging in any  other manner of individually identifiable health information to persons not employed by  or working within FSHD’s business.  

2.2.2 Disclosures of PHI to Business Associates 

(a) For the purposes of this clause 2.2.2, a “business associate” is an entity that: 

(i) performs or assists in performing a FSHD business function or activity involving  the use and disclosure of PHI (including claims processing or administration,  data analysis, underwriting, etc); or 

(ii) provides legal, accounting, actuarial, consulting, data aggregation,  management, accreditation or financial services, where the performance of  such services involves giving the service provider access to PHI. 

Examples of Business Associates include: 

a third-party administrator that assists FSHD with carrying out its objectives; 

a CPA firm whose accounting services toa health care provider involves access  to PHI; 

an attorney whose legal services involve access to PHI. 

(b) With the approval of the Privacy Officer and in compliance with HIPAA and this policy,  employees may disclose PHI to FSHD’s business associates and permit FSHD’s  Business Associates to create or receive PHI on its behalf. 

(c) Approval will only be granted where: 

(i) FSHD obtains the assurances from the business associate that it will  appropriately safeguard the PHI; and 

(ii) the Privacy Officer has verified that a business associate contract in place  between FSHD and the business associate. 

2.3 Disclosures of De-Identified Information

2.3.1 FSHD may freely use and disclose de-identified information.

2.3.2 For the purposes of this clause 2.3, “de-identified information” is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. FSHD is required to destroy or de-identify PHI once it no longer requires such information for a primary or secondary purpose.

2.3.3 There are two ways that health information is deemed de-identified, that is by: (a) professional statistical analysis; or
(b) removing 18 specific identifiers.

2.3.4 The 18 specific identifiers referred to in clause 2.3.3(b) and which are outlined below, relating to the participant, employee, relatives, or employer must be removed and FSHD must ascertain there is no other available information that could be used alone or in combination to identify an individual:
(1) Names;
(2) Geographic subdivisions smaller than a state
(3) All elements of dates (except year) related to an individual, including any dates of admission, discharge, birth, death and for persons over 89 years of age, the year of birth must also be removed;
(4) Telephone numbers;
(5) Facsimile (fax) numbers;
(6) Electronic mail addresses (emails);
(7) Social Security Number;
(8) Medical Record numbers;
(9) Health plan beneficiary numbers;
(10) Account numbers;
(11) Certificate/license numbers;
(12) Vehicle identifiers and serial numbers including license plates;
(13) Device identifiers and serial numbers;
(14) Web URLs;
(15) Internet protocol addresses;
(16) Biometric identifiers, including finger and voice prints;
(17) Full face photos, and comparable images; and
(18) Any unique identifying number, characteristic or code.

2.3.5 When determining whether PHI has been de-identified, the person:
(a) tasked with this responsibility must have appropriate expertise; and
(b) must determine that the risk is very small that the information could be used alone or in combination with other reasonably available information by an anticipated recipient to identify the individual; and
(c) must document the methods undertaken by them in coming to the determination and the reason or justification for coming to that determination.

2.3.6 If there is any risk that PHI has not been de-identified correctly and adequately, such information shall be deemed PHI and FSHD shall only use and/or disclose the PHI in accordance with the HIPAA requirements and this policy.

2.4 Removing PHI from FSHD Premises

2.4.1 If FSHD deems it necessary for an employee or contractor to work from a location other than an official FSHD site or place of business, PHI may be accessed and/or removed under the following circumstances:
(a) approval is obtained from a manager/supervisor prior to accessing or removing PHI;
(b) remote working conditions imposed by the Federal and/or State governments due to the COVID-19 pandemic;
(c) if attending external meetings / conferences where access to PHI is required, such access shall only occur through FSHD’s IT system;
(d) delivery of PHI from FSHD business premises to third party premises for the purposes of carrying out the objectives of FSHD and in the particular, the Portal must be transported in a secure lock box or carry case;
(e) the electronic removal of PHI (using flash drives) must be approved in advance by a manager/supervisor and the FSHD’s IT department. The flash drive must be password protected and the PHI files contained on the flash drive should be encrypted.

2.4.2 All FSHD employees and contractors are required to abide by the following safeguards when accessing, using or disclosing PHI whilst working from a location other than an official FSHD site or place of business:
(a) take all reasonable steps to keep PHI secure;
(b) when working remotely, only work on PHI in a secure and private environment; (c) keep the information with you at all times while in transit;
(d) when leaving your computer or laptop unattended for any period of time, ensure that it is locked with a secure and strong password;
(e) do not permit any other individual to access the PHI under any circumstance;
(f) only using FSHD IT platforms in carrying out employment and contractor duties/obligations including not saving work related documents or information to your personal computer, electronic and mobile devices;

2.5 Sharing of PHI with PJ Labs

2.5.1 When registering on the Site, you will be asked to complete an ‘About You’ questionnaire (the Questionnaire). Your responses to the Questionnaire and any PHI contained within those responses will be held by us in accordance with this policy.

2.5.2 During the Questionnaire process referred to in clause 2.5.1, you will be asked whether you wish to participate in a Saliva Research Test. If you choose and consent to providing a Saliva Research Test, you must complete additional questions to proceed (Saliva Research Test Questions). Your responses to the additional questions and any PHI contained within those responses will be held by us in accordance with this policy.

2.5.3 By answering the Questionnaire and the Saliva Research Test Questions, you consent to FSHD:
(a) sending a Saliva Research Testing Kit to your residential address by post; and
(b) providing your contact information, including but not limited to your full name, email address, date of birth and country of origin to PJ Labs to notify PJ Labs that a Saliva Research Testing Kit has been issued to you by FSHD.

2.5.4 Your contact information referred to in clause 2.5.3(b) will be sent by FSHD to PJ Labs by email.

2.5.5 You acknowledge that:
(a) you are responsible for posting the Saliva Research Testing Kit containing your saliva sample to PJ Labs at your own cost;
(b) PJ Labs will assess the saliva sample / DNA and prepare a report; and
(c) PJ Labs will send the report to you directly to the email address provided by you as part of the Questionnaire and/or Saliva Research Test Questions.

2.5.6 FSHD is in no way responsible or liable for PJ Labs issuing your report to an unrelated third party. By accepting this policy, you hold FSHD harmless against any loss or damage suffered by you as a result of your report being issued by PJ Labs to an individual or organisation, other than yourself or contrary to your directions.


3.1 Requests for access to and amendment of PHI

3.1.1 You have a general right to access your PHI collected and stored by FSHD and it’s Business Associates in accordance with this policy.

3.1.2 Registered users of the Site may access and update their PHI from time to time using their personal login on the Site. You have the right to correct PHI that FSHD holds about you.

3.1.3 FSHD may refuse the right for users to access their information that is subject to any legal restrictions.

3.1.4 If there are any aspects of your personal information that cannot be updated directly by you or that you are unable to access, then you can request access and correction of your personal information by completing a “Request to Access and/or Correct PHI Form” and submitting it to the Privacy Officer by post and/or email. The Form can be obtained by contacting the Privacy Officer.

3.1.5 A request to access and/or correct PHI must be made only in writing by the person to which the PHI relates or by a person who is duly authorised in writing by such person to act on their behalf, for example, a legal guardian or authorised agent.

3.1.6 FSHD reserves the right to request from you and/or a person authorised by you, information and/or documentation to verify identity. Such information/documentation may include:
(a) name and contact details;
(b) copies of photo identification;
(c) if your signature is held by FSHD, a formal document containing your signature; (d) reason for access/correction; and
(e) a written authorisation from you to FSHD.

3.2 Request for restrictions on uses and disclosures of PHI

3.2.1 You may request restrictions on the use and disclosure of your own PHI. Such requests must be made in writing to the Privacy Officer.

3.2.2 The Privacy Officer will consider the request for restriction and attempt to honor such requests, if, in the sole and absolute discretion of the Privacy Officer acting on behalf of FSHD, considers the request is reasonable in the circumstances. The Privacy Officer’s decision will be communicated to you in writing.

3.3 Requests for a copy of his/her Record

3.3.1 A participant can request a copy of their health information by completing a “Request for Copy of PHI Form” and submitting it to the Privacy Officer by post and/or email. The Form can be obtained by contacting the Privacy Officer.

3.4 Sharing of results from saliva test – consent and rights

3.4.1 You are not obligated to share with or provide a copy of the results from your saliva test referred to in clause 2.5 to FSHD.

3.4.2 If you voluntarily decide to share or provide a copy of the results from your Saliva Research Test to FSHD, you must do so by logging into your personal login on the Site and uploading a copy of your Saliva Research Test results to the designated area within your login. You acknowledge that the cost of sharing or providing a copy of your results to FSHD shall be borne by you and FSHD shall not be liable to reimburse you.

3.4.3 You acknowledge that if you voluntarily decide to share your Saliva Research Test results as outlined in clause 3.4.2, you will automatically become a member of the “FSHD Medical Research & Clinical Trial Readiness Program”, without requiring you to acknowledge or accept your membership.

3.4.4 You accept full responsibility for uploading your results to your personal login and ensuring your results are uploaded correctly and are accessible by FSHD.

3.4.5 If your results are not received by FSHD or are received by an unintended recipient, that is, any recipient other than FSHD, you agree and acknowledge that you shall hold FSHD harmless against any cause of action against FSHD for any loss or damage suffered by you as a result.

3.4.6 FSHD will hold your Saliva Research Test results as uploaded by you in accordance with clause 3.4.2 in its secure cloud together with your other PHI and otherwise in accordance with this policy.

3.4.7 In the event that your Saliva Research Test results are required to be used and/or disclosed by FSHD, FSHD shall only do so after such test results are de-identified and the use and/or disclosure of the de-identified data is in accordance with this policy.

3.4.8 By voluntarily providing your saliva test results to FSHD in accordance with this clause 3.4, you consent to FSHD disclosing:
(a) disclosing the de-identified data with research laboratories conducting research into a treatment and cure for Facioscapulohumeral Dystrophy; and
(b) connecting you to the research laboratories when clinical trials become available.

3.4.9 You may at any time prior to the de-identification process being completed by FSHD, request FSHD to destroy your saliva test results. By accepting this policy, you acknowledge that once the de-identification process has been completed by FSHD, any request by you to destroy your saliva test results may be impractical or impossible for FSHD to action.