Website Privacy Policy & Disclaimer

Last updated on Jan 23, 2026

Version 8.0

Compliance Standards: ISO/IEC 27001:2022 Certified | SOC 2 Type II Compliant 
Laboratory Accreditations: CLIA Certified | ASHI Accredited

1.0 Overview

HistoGenetics is committed to the highest standards of data security and privacy. As a leader in immunogenetics testing, we maintain ISO/IEC 27001:2022 certification and have successfully completed a SOC 2 Type II audit. While we operate in a specialized global capacity, our infrastructure is built to support HIPAA and GDPR compliance, ensuring robust protection for the PHI and genetic data entrusted to us by our institutional clients worldwide.

2.0 What information do we collect?

We collect information only as necessary to provide our services, facilitate registrations, or respond to inquiries. 

  • Business Inquiries: Information provided by visitors (name, institutional email, phone) when requesting a quote or using “Contact Us” forms. 
  • Client Registration: For Hospitals, Physicians, Donor Registries, and Research Institutions, we collect organization details, contact information (billing, reporting contacts), reporting requirements and credentials for secure access via our client portal.  
  • Clinical Samples: We collect the following information from our registered clients via our client’s portal after successful login with Multi-Factor Authentication.  
  • Specimen Information: Specimen Collection Date, Type of Specimen 
  • Personally Identifiable Information (PII): Full Name, Date of Birth, Gender 
  • Protected Health Information (PHI): Diagnosis, Hospital, Referring Physician. 
  • Demographic Data: Race and Ethnicity information  
  • Non-Clinical Samples: We collect Local IDs (Pseudonymized) from registries or research institutions along with specimen details. 

Note on Payments: We do not collect or store payment-related information, such as credit card details, on this website.  

3.0 How do we use your information?

We process your data based on legitimate business interests, contractual fulfillment, legal obligations, or explicit consent. Specific uses include: 

  • Facilitating secure account creation and portal login. 
  • Responding to inquiries and managing service requests. 
  • Clinical Reporting: Generating reports that include PII/PHI necessary for medical accuracy. 
  • Ethnicity & Demographic Data: We collect ethnicity information solely for the purpose of reporting to the clinician to assist them in their independent clinical interpretation if needed. 

4.0 Will your information be shared?

HistoGenetics does not sell client information or genetic data to third parties. We share data only under the following circumstances: 

  • With Consent: When you have provided explicit permission. 
  • Contractual Necessity: To fulfill the terms of our service agreement with you. 
  • Legal Compliance: To comply with subpoenas, court orders, or national security requirements. 
  • Third-Party Service Providers: We utilize secure cloud storage and IT infrastructure providers who are bound by strict confidentiality and security requirements. 
  • Business Transfers: In the event of a merger or acquisition, data may be transferred as a business asset subject to this policy. 

5.0 International Data Transfers & Security

As a global laboratory, we transfer data across borders using the following secure methods:

  • Secure Portals: We primarily use ShareFile platform which encrypts data during the move and while stored. Clients must use unique credentials to download reports. 
  • Direct Integration (APIs): For institutional partners, we transmit data via secure machine-to-machine APIs to ensure a protected, direct flow into your systems. 
  • Email Requests: If a client specifically requests delivery via email, they acknowledge that standard email may be less secure than our portals. In such cases, the client assumes responsibility for the security of the data once it leaves our environment. 

6.0 Data Retention

In accordance with CLIA, ASHI, and federal medical record-keeping regulations, clinical laboratory records cannot be deleted upon request. 

  • Mandatory Retention: Most clinical data must be retained for a minimum of 7 years as per NY state retention requirements to ensure patient safety and auditability. 
  • Secure Archives: Once the clinical utility and legal retention period expires, data is securely decommissioned or pseudonymized. 

7.0 Security Measures

We employ a multi-layered security framework: 

  • Encryption: We use AES-256 encryption at rest and TLS 1.2+ for data in transit. 
  • Network Security: All portal access is shielded by enterprise-grade firewalls and monitored by intrusion detection systems. 
  • Access Control: Access to sensitive data is restricted to authorized users via strict authentication protocols. 

8.0 Data Subject Rights & Regulatory Limitations

For the purposes of this policy, a “Data Subject” refers to any individual whose personal information is processed by HistoGenetics, including authorized institutional portal users and the individuals represented by clinical or research samples. 

8.1 Institutional Relationship (Data Processor Role) 

HistoGenetics primarily acts as a Data Processor or Business Associate for our institutional clients. 

  • Patients & Research Participants: If your sample was submitted to us by a third-party institution, please direct all inquiries regarding data access or deletion to that originating institution. 
  • Support for Clients: We are committed to assisting our institutional clients in fulfilling their obligations to respond to data subject requests under applicable laws. 

8.2 Limitations on the Right to Erasure (Deletion)  

As an ASHI-accredited and CLIA-certified laboratory, we are subject to strict federal and international medical record retention mandates. 

  • Mandatory Retention: We cannot delete clinical data or HLA typing records that are part of a diagnostic report until the legally required retention period (typically 7 years) has expired. 
  • Auditability: This retention is essential for patient safety, clinical history, and regulatory audit purposes. 

8.3  Rights for Professional Contact Information  

Individuals who provide contact information via our website for quotes or inquiries have the following rights: 

  • Access & Rectification: You may request to view or update your professional contact details. 
  • Deletion: You may request that we remove your business contact information from our active communication lists (opt-out). 

8.4  Regional Compliance 

  • EEA/UK/Switzerland: We process “Special Category Data” (genetic information) under strict technical safeguards. Data subjects have the right to lodge a complaint with a relevant Supervisory Authority. 
  • California: Pursuant to the CCPA/CPRA, we do not sell or share sensitive personal information for cross-contextual behavioral advertising.

9.0 Cookies & Tracking 

We use session cookies for essential portal functionality and Google reCAPTCHA for security. By using these features, you are bound by the Google Privacy Policy. 

10. Disclaimer

The information on this website is for general information purposes only. While we endeavor to keep content accurate, any reliance you place on it is at your own risk. HistoGenetics takes no responsibility for temporary website unavailability due to technical issues. 

11. CONTACT US

If you have any questions or comments about this policy, you may contact our customer service team at [email protected] or by mail to the following address: 

HistoGenetics
Privacy Administrator
300 Executive Blvd
Ossining, NY 10562
United States
Phone: +1-914-762-0300