CGI Website Privacy Policy

At Cancer Genetics, Inc. (“CGI”), we recognize that privacy is important, which is why CGI is committed to maintaining and protecting the privacy of our customers, patients, partners, employees and all others who may visit a website belonging to CGI.

This Website Privacy Policy (this “Policy”) details our practices regarding the collection, use and disclosure of information that you may provide CGI with throughout this site and all websites offered by CGI or its subsidiaries or affiliated companies through the Internet. This also includes the privacy of the choices you have about how this information is used. For information related to the protection of individually identifiable health information (known as “Protected Health Information” or “PHI”) which we collect as a result of our testing services, please reference the Notice of Privacy Practices Related to PHI located elsewhere on our website.

Consent

BY USING OUR SITE, YOU CONSENT TO THE COLLECTION, USE AND DISCLOSURE OF INFORMATION AS DESCRIBED IN THIS POLICY.

Collection and Use of Personally Identifiable Information

Collection

CGI only collects personally identifiable information through its websites (such as an individual’s name, e-mail address, account password, etc.) when it is voluntarily submitted to CGI by you as permitted under applicable law. For example, when you choose to register for an account through our site or for a promotion or service that requires registration, we may ask you to provide some personal information such as your first and last name, medical practice name, job title, phone number, e-mail address, type of medical practice and similar information required to issue you a username and password. We may also ask for similar information in order to fulfill additional requests you make through our website or a site maintained by a third party on our behalf, including, but not limited to product and or services information or in connection with your application for employment.

Use of Personally Identifiable Information

Health Care Professionals – For health care professionals that take advantage of our clinical laboratory services in treating their patients or are considering using our clinical laboratory services, we may use your personal information to (i) inform or send you information on services we provide or services you may request; (ii) to assist you with questions that you may have about our services; (iii) contact you regarding payment matters; and (iv) in order to evaluate the services we offer or similar marketing purposes, such as conducting surveys.

User Communications – When you send email or other communications to CGI, we may retain those communications in order to process your inquiries, respond to your requests and improve our services.

Affiliated CGI Services Through Other Sites – We may offer some of our services on or through other websites operated by third parties. Personal information that you provide to those sites may be sent to CGI in order to deliver the service such as if you apply for a job with CGI through another website or if you make a payment to CGI through another site. In this case, we will process information that we receive about you from these third parties under this Policy. The affiliated websites through which our services are offered may have different privacy practices and we encourage you to read their privacy policies.

You can decline to submit certain personally identifiable information, but in such case, CGI may not be able to provide those services to you.

Collection and Use of Non-Personally Identifiable Information

We offer a number of services that may not require you to register for an account or provide any personal information to us. For example, we track the total number of visitors to our website, the number of visitors to each page of the website, and the domain names of our visitors’ Internet service providers. No personally identifiable information is gathered in this process. In order to provide our full range of services, we may collect any or all of the following types of information:

Cookies

CGI tracks visitors to our site through the use of cookies. When you visit any site maintained by CGI, we may send one or more cookies – a small file containing a string of characters – to your computer or other device that uniquely identifies your browser to us, upon your return to our site. We use cookies to improve the quality of our service, including for storing user preferences and tracking user trends. The cookies we use do not collect or keep your personal information, but cookies do identify your browser and may save information requested by our website in your computer’s memory.

Most browsers are initially set up to accept cookies, but you can reset your browser to allow you to control whether you will accept cookies, refuse all cookies or to indicate when a cookie is being sent. However, some CGI features and services may not function properly if your cookies are disabled.

Links

CGI may present links in a format that enables us to keep track of whether these links have been followed. We use this information to improve the quality of our website, its technology and content.

Web Browser Information

When you access CGI services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.

Information Sharing

CGI does not sell, rent or share your personal information with non-affiliated third parties. However, to provide our services we may provide your personal information gathered through this site with other companies or individuals outside of CGI in the following limited circumstances:

We may provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing or using personal information on our behalf. We require that these parties agree to use or process such information based on our instructions and in compliance with this Policy and any other appropriate confidentiality and security measures.

We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable policies, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of CGI, its users or the public as required or permitted by law.

After having received your consent for the sharing of any sensitive personal information.

If CGI becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, we will ensure the confidentiality of any personal information involved in such transactions and provide notice on this page before personal information is transferred and becomes subject to a different privacy policy.

In addition, we have procedures that limit CGIs’ employees and contractors’ access to personal information. Only those employees and contractors with a business reason to know have access to such information. We educate our employees about the importance of confidentiality and customer privacy through standard operating procedures, mandatory training programs, and internal policies on data privacy and corporate integrity. We take appropriate disciplinary measures to enforce employee privacy responsibilities.

How We Protect Information Online

It is our policy to protect your account information against unauthorized access or release. We use the services of VeriSign and ICSA.net to verify and assist in our security measures. All the information you provide to us is handled through a Secure Socket Layer (“SSL”). SSL is a leading Web technology that encrypts your account information. Please exercise caution when sending sensitive information via e-mail, as e-mail messages do not have the security features that are built into our website.

Other Websites

CGI provides links to third party websites through CGI site, which may provide you with useful information or offer helpful services as a convenience. Links contained on our site that transfer you to a non-CGI site are not controlled by CGI and may contain different information and/or different privacy policies than CGI. CGI is not responsible for the privacy policies of or content on any such third party website. You should review the privacy policies for these third parties’ should you choose to access these sites. These other sites may place their own cookies or other files on your computer, collect data or solicit personal information from you.

Children’s Access

Our websites are created for an adult audience and are not designed or intended to attract children under the age of 13 in any way. We do not knowingly collect personal information from children under the age of 13.

Contact Us

If you have any feedback or questions regarding this Policy, please feel free to contact us at:

Cancer Genetics, Inc.

Meadows Office Complex

201 Route 17 North

2nd Floor

Rutherford, NJ 07070

Main Phone: +1.201.528.9200

Fax Line: +1.201.528.9201

Email: contact@cancergenetics.com

Changes

Please note that this Policy is subject to change from time to time. We will update this Policy on this page with any such changes. Therefore, please review this website periodically to ensure you are aware of our current policy on privacy matters in using this, or other websites offered by CGI.

Notice of Privacy Practices Related to Public Health Information (PHI):

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Cancer Genetics, Inc. (“CGI”) is a provider of clinical reference laboratory testing services and information, and is dedicated to the treatment and management of hematologic malignancies and other forms of cancer. CGI is committed to protecting the confidentiality of laboratory test results and other personal health information that we collect, create or disclose as a result of our testing activities.

We are required by federal law to maintain the privacy of your individually identifiable health information (known as “Protected Health Information” or “PHI”) and to provide you with notice of our legal duties and privacy practices with respect to your PHI. This protection extends to any PHI whether in oral, written or electronic format. CGI is required by law to abide by the terms of this Notice of Privacy Practices Related to PHI (this “Notice”) currently in effect. Your other health care provider(s) may have different policies regarding the use and disclosure of your PHI created by and maintained by them.

CGI is committed to obtaining, maintaining, using and disclosing PHI in a manner that protects patient privacy in compliance with all applicable local, state and federal laws and regulations. We strongly urge you to read this Notice carefully and thoroughly so that you will understand both our commitment to protecting the privacy of your PHI and how you can participate in the protection of this information.

Note Regarding State Law

For all of the above purposes, in cases where state law is more restrictive than federal law, we are required to follow the more restrictive state law. For example, some states require physician authorization to release laboratory test results to patients, and other states prohibit a laboratory from releasing test results directly to a patient.

Your PHI at CGI

CGI collects your PHI to the extent necessary to provide services and to obtain payment for these services. This PHI may include your name, address, telephone number, social security number, date of birth, medical history, tests ordered, diagnosis, provider identification, financial responsibility, etc.

How CGI May Use and Disclose Your Protected Health Information

The following categories detail the various ways in which we may use or disclose your PHI. While we cannot list every possible use or disclosure, all of the ways we use or disclose your PHI will fall into one of the following categories.

Treatment: We use your PHI to provide your medical care, and we disclose PHI to our employees and others who are involved in providing the medical care you need. As a health care provider that provides laboratory testing for patients as requested by physicians, we use your PHI as part of our testing processes and we disclose your PHI to physicians or other authorized health care professionals (e.g., your nurses) who need access to your laboratory results to treat you. We may also disclose your PHI to another testing laboratory if we are unable to perform the testing ourselves, and as such need to refer your specimen to that laboratory to perform the requested testing.

Payment: We use and disclose PHI to obtain payment for the services we provide. Our billing department may disclose your PHI to certain insurance companies, hospitals, physicians, and health plans to collect payment, or to third parties to assist us in creating bills, claim forms, or to obtain payment for our services. For example, we may use a third party billing company or we may send your name, date of service, test performed, diagnosis code, and other information to your third party payor so such third party payor will provide us with payment for the services provided.

Health Care Operations: We will use and disclose your PHI as necessary, and as permitted by law, for health care operations. CGI may use or disclose your PHI in the course of activities required to support our health care operations, such as performing quality checks on our testing, or for developing normal reference ranges for tests that we perform. This information will be used in an effort to continually improve the quality and effectiveness of the health care services that we provide. We may also disclose your PHI to other health care providers or payors for their health care operations, but only if they already have a relationship with you or us and the purpose is for quality assurance activities, peer review activities, detecting fraud, or for other legitimate purposes.

Disclosures to Business Associates: CGI may disclose your PHI to other companies or individuals who need your PHI in order to provide specific services to us. These other entities, known as “business associates,” must comply with the terms of a contract designed to ensure that they will maintain the privacy and security of the PHI we provide to them or which they create on our behalf. Our business associates must only use your PHI for designated treatment, payment, or health care operations purposes that they perform on our behalf. For example, we may disclose your PHI to temporary employees or to the College of American Pathologists (CAP) or other private accrediting organizations that inspect and certify the quality of our laboratories.

Persons Involved in Your Care: We may disclose your PHI to individuals, such as family members, relatives, personal friends or others who are involved with your care or who help pay for your care. If you are able and available to agree or object, we will give you the opportunity to object prior to making these disclosures, although we may disclose this PHI in a disaster even over your objection if we believe it is necessary to respond to the emergency circumstances. If you are unable or unavailable to agree or object, our health care professionals will use their best judgment in communication with your family and others. To the extent permitted under federal and state law, we may disclose PHI of minors to their parents or legal guardians.

Other uses and disclosures: We are permitted or required by law to make certain other uses and disclosures of your PHI without your consent or authorization. Subject to conditions specified by law, we may release your PHI:

for any purpose required by law;
for public health activities, such as required reporting of disease, injury, and birth and death, and for required public health investigation;
to certain governmental agencies if we suspect child abuse or neglect; we may also release your PHI to certain governmental agencies if we believe you to be a victim of abuse, neglect, or domestic violence;
to entities regulated by the Food and Drug Administration if necessary to report adverse events, product defects, or to participate in product recalls;
to your employer when we have provided health care to you at the request of your employer for purposes related to occupational health and safety (in most cases you will receive notice that information is disclosed to your employer);
if required by law to a government oversight agency conducting audits, investigations, inspections and related oversight functions; in emergency circumstances, such as to prevent a serious and imminent threat to a person or the public;
if required to do so by a court or administrative order, subpoena or discovery request (in most cases you will have notice of such release);
to law enforcement officials to identify or locate suspects, fugitives or witnesses, or victims of crime, or for other allowable law enforcement purposes;
to coroners or medical examiners for the purpose of identifying a deceased person, determining cause of death or another purpose authorized by law and to funeral directors as necessary to carry out their duties with respect to the deceased to the extent consistent with applicable law;
if necessary to arrange an organ or tissue donation from you or a transplant for you;
if you are a member of the military for activities set out by certain military command authorities required by armed forces services;
if necessary for national security, intelligence, or protective services activities;
for purposes related to your workers’ compensation benefits;
to researchers conducting research with respect to which your written authorization is not required as approved by an Institutional Review Board or privacy board, in compliance with governing law; and
in the event CGI is sold or merged with another organization, your PHI will become the property of the new owner.

Authorization Required for Other Uses

CGI must receive your written authorization prior to disclosing your PHI in any manner that is not set forth and described above. If you would like to authorize us to disclose your PHI in a manner that is not set forth above, please provide a written authorization to our HIPAA Privacy Officer at the contact information below. Such written authorization must include the following information: name, address, telephone number and patient identification number or Social Security number. You may revoke this written authorization at any time by notifying our HIPAA Privacy Officer in writing, except if we have already made a disclosure based on that authorization. Such revocation shall contain the same information as is required to be provided in the written authorization. In the alternative, you may contact our HIPAA Privacy Officer to request a written authorization form or revocation of written authorization form.

Your Rights Concerning PHI

You have certain rights relating to your PHI that we maintain and you can exercise these rights by making a written request to our HIPAA Privacy Officer at the contact information below. Subject to certain exceptions under applicable law, your rights to your PHI are as follows:

Access: You or your designated representative have the right to access, review and/or obtain copies of your current PHI; provided, that, either you or your designated representative has delivered a written request to CGI, unless access is otherwise prohibited including, but not limited to, instances in which state law is more restrictive than federal law. Furthermore, we may restrict your access to information we compile in reasonable anticipation of, or use in, civil, criminal or administrative actions or proceedings.

You may make requests to review or obtain copies of your PHI by contacting our HIPAA Privacy Officer in writing at the contact information below. CGI may charge a reasonable fee for copies of your PHI. Under certain circumstances, should we deny your request, you have the right to ask for the denial to be reviewed by a licensed health care professional designated by CGI.

Amendments: You have a right to request that PHI that we maintain about you be amended or corrected. All amendment requests, in order to be considered by us, must be submitted to our HIPAA Privacy Officer, in writing, signed by you or your designated representative, and must state the reasons for the amendment/correction request. If we find the information is incomplete or incorrect, we may amend your PHI in accordance with our policy, but original information will not be removed. We will also make reasonable efforts to inform and provide approved amendments to those who possess your PHI and need to be informed of the amendment, including our business associates.

We are allowed to deny the request for various reasons, including if CGI did not create the information for which an amendment is required or if we believe the current information is accurate and complete. If we deny your amendment request, we will inform you in writing of this denial and explain the process involved to exercise your right to submit a written statement of disagreement.

Accounting: You have the right to receive an accounting of certain disclosures made by us or our business associates of your PHI. This accounting will include only those disclosures made in the six years prior to the date on which the accounting is requested, but not including any disclosures made prior to April 14, 2003, when the Privacy Rule went into effect. This accounting will not include any disclosures to you or your authorized representatives, disclosures related to treatment, payment or health care operations, disclosures authorized by you, and certain other excluded disclosures. Requests must be made in writing and signed by you or your designated representative. The first accounting in any 12 month period shall be without charge, but we may assess a reasonable cost based-fee in connection with additional requests by you within the same 12 month period.

Restrictions: You have the right to request restrictions on certain of our uses and disclosures of your PHI for treatment, payment, or health care operations. For example, you may request that we do not share your PHI with a certain family member. We are not required to agree to your restriction request but will attempt to accommodate reasonable requests when appropriate and we retain the right to terminate an agreed-to restriction if we believe such termination is appropriate. In the event we have terminated an agreed upon restriction, we will notify you of such termination.

Confidential Communications: You have the right to request that we send communications of your PHI by alternative means or at alternative locations than our usual procedure. For example, you may request that we direct all correspondence to your attention at a family member’s address, that we contact you at work rather than home or that we contact you by mail instead of telephone. You must make your request in writing and we will make an effort to accommodate reasonable requests.

Notice of PHI Privacy Practices: You have the right to request a paper and/or electronic copy of this Notice at any time by contacting our HIPAA Privacy Officer.

Effective for services provided to you after February 16, 2010, you have the right to ask us to restrict the disclosure of PHI to your health plan for a service we provide to you where you have directly paid us (out of pocket, in full) for that service, in which case we are required to honor your request.

How to Exercise Your Rights or Ask Questions: To exercise your rights or for any questions regarding this Notice, please contact our HIPAA Privacy Officer at:

Cancer Genetics, Inc.

Meadows Office Complex

201 Route 17 North

2nd Floor

Rutherford, NJ 07070

Main Phone: +1.201.528.9200

Fax Line: +1.201.528.9201

Email: contact@cancergenetics.com

Please include sufficient information for us to identify all of your records such as your name, address, and a telephone number where we can contact you. CGI will consider your request and provide you a response within a reasonable timeframe.

Complaints: If you believe your privacy rights have been violated, please let us know immediately by contacting our HIPAA Privacy Officer at 201.528.9200 Please make sure to include sufficient information for us to identify you and a brief description of the circumstances surrounding the violation.

You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services by contacting the following:

The U.S. Department of Health and Human Services, 200 Independence Avenue, S.W.  Washington, D.C. 20201 Telephone: 202-619-0257  Toll Free: 1-877-696-6775

CGI will not retaliate against any individual for filing a complaint.

Changes to this Notice of Privacy Practices Related to PHI: CGI reserves the right to amend this Notice at any time to reflect changes in our privacy practices. Any such changes will be applicable to and effective for all PHI that we maintain including PHI we created or received prior to the effective date of such amendment as CGI is required to abide by the privacy practices currently in effect. CGI will post any Privacy Policy changes on this page. Please review this page periodically to ensure you are aware of any such updates.

Last revised: 10 May 2010