uMed is a clinical research and health technology company that partners with healthcare professionals to deliver research opportunities.

To allow us to send communications to patients on behalf of healthcare organizations, we process patient roster data securely uploaded to the uMed platform by your organization. This includes names, contact details, and demographics, as well as any communication back from patients (such as answers to questionnaires or patient replies to text messages).

uMed keeps patient data secure through a robust combination of technical, administrative, and physical safeguards designed to meet or exceed HIPAA requirements. All protected health information (PHI) is encrypted at rest and in transit. Access to patient data is strictly limited to authorized personnel with a legitimate business need, enforced through role-based permissions and comprehensive audit logging.

‍

uMed operates under signed Business Associate Agreements (BAAs) with healthcare organizations and, where required, under IRB-approved protocols. This ensures that patient confidentiality is maintained at all times while enabling valuable research opportunities

Our platform is:

• Fully HIPAA compliant with a signed Business Associate Agreement (BAA), where applicable.
• ISO 27001:2022 and ISO 9001:2015 certified

‍

This depends on which recruitment model your organization chooses to use with uMed. There are two primary pathways:

‍

Roster Model (requires Business Associate Agreement)

Your organization shares a patient roster file with uMed — either directly under a BAA with uMed or via an EHR network partner (such as WellSky) that already has a BAA in place.

• Onboarding typically takes 15–30 minutes and involves signing the BAA (if direct) plus providing your practice’s NPI and facility details. Our support team is available to assist.

• You review and approve the list of potentially eligible patients before any contact occurs.

• uMed’s trained research nurses then reach out to patients on your behalf via SMS, email, or letter. Patients complete consent remotely and electronically.

• We provide a dedicated patient helpline to minimize incoming calls to your practice.

‍

Patient Self-Registration Model (no direct BAA required)

Your organization sends eligible patients an invitation (e.g., email or SMS) containing a secure link to register their interest directly on the uMed platform. Patients then provide consent, complete eligibility screening, and supply contact details themselves.

This model requires minimal ongoing staff involvement after the initial invitation is sent.

Your uMed contact will confirm which model(s) are available for each study and recommend the best approach for your organization.

‍

The BAA is the legal agreement that defines how uMed will process protected health information (PHI) on behalf of your organization (the Covered Entity). It covers processing for:

‍

a) Processing the patient roster file you provide to identify potential research subjects for your review and approval.

b) Engaging those patients on your behalf to support recruitment and data capture (if approved).

c) Linking study outcomes back to the clinical record (if approved).

‍

This is not a data-sharing agreement. As a Business Associate, uMed cannot use or disclose PHI except as permitted by the BAA and your direction. This is the same framework used by other HIPAA-compliant vendors (e.g., EHR vendors, billing services, and telehealth platforms).

Where your organization connects via an EHR network partner, the BAA between that partner and uMed governs uMed's processing — no separate agreement with your organization is needed.

‍

Your healthcare organization signs a Business Associate Agreement (BAA) with uMed. This legally authorizes uMed to process protected health information on your behalf for the purposes of providing individualized care and offering research opportunities to your patients.

‍

All processing is conducted in accordance with HIPAA, the HITECH Act, and applicable state privacy laws. uMed implements appropriate administrative, physical, and technical safeguards to protect PHI.

‍

uMed, acting on behalf of healthcare providers, ensures that patient confidentiality is respected at all times.

‍

Patient-identifiable information is only accessed by a limited number of authorized uMed clinical support staff (qualified nurses) for the specific purpose of contacting patients who may be eligible for approved research studies. All access is strictly controlled, role-based, and fully audited.

For studies requiring the use of identifiable data without prior patient authorization, uMed operates under IRB approval and, where applicable, an IRB-approved waiver of authorization under HIPAA. In all cases, patients retain the right to opt out at any time.

‍

No. uMed simply provides a technology service to support an array of academic and commercial studies, which can be both observational and interventional. There is no exclusivity, and the practice is free to participate in other studies as usual.

uMed provides a dedicated patient helpline designed to support patients throughout the process and reduce the pressure of incoming calls for your practice staff related to the study.

Patients remain in full control of their data at all times. They can opt out of being contacted, having their data shared, or participating in a study at any point. Patients may also exercise their rights under HIPAA (including the right to access, amend, or request restrictions on their health information) by contacting uMed or their healthcare provider.

‍

No, uMed does not use your personal data for Marketing although uMed may occasionally send feedback surveys about our services to help us improve. In these cases, we always ask for your permission. You can also review our Privacy Policy for full details on how we handle data. uMed does not use provider or patient data for unrelated marketing purposes.