Supplemental Information for Parents About DOE Agreements With Outside Entities

New York Education Law §2-d gives parents the right to access certain information about agreements the NYC DOE has entered into with outside entities (such as vendors) who are permitted to receive or to access identifiable student information from the DOE. These entities are required to answer a number of questions about their privacy and data security practices. Responses from such outside entities to these questions are found below. Please note that this page will be updated on a periodic basis with responses from additional outside entities.

BioReference Laboratories, Inc.

  1. The exclusive purposes for which Protected Information will be used, and how students and staff members will benefit from the Contractor’s services: Protected Information will be used by BioReference Laboratories, Inc. (“BRL”) for the sole purpose of performing COVID-19 testing under its contractual agreement with New York City Health and Hospitals Corporation.
  2. How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your written agreement with the NYC DOE: BRL will not utilize any subcontractors for the testing, and will only report COVID-19 test results to the patients (or, if a minor, the parent or guardian), the ordering physician, and public health authorities including the Centers for Disease Control and Prevention, the NYS Department of Health, the NYC Department of Health, and NYC Health + Hospitals’ NYC Test + Trace program as required or permitted by law.
  3. When the written agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: This Agreement is effective October 1, 2020 and will continue for so long as the Contractor will be providing the NYC DOE services with respect to COVID-19 testing. Under the federal Clinical Laboratory Improvement Amendments of 1988 as well as New York state laboratory laws and regulations, BRL is required to retain test orders and requisitions, consents to testing, and test results. This Protected Information will be retained in the same secure manner as BRL retains information for the approximately 60,000-70,000 tests that it performs daily.
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing requests for copies of student Protected Information, and challenges to the accuracy of student data in the custody of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov. However, if a parent of a student who was tested wishes to obtain a copy of their child’s laboratory testing records, the request should be directed to patientportal@bioreference.com.
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The Protected Information is stored in the US. Please see question #3 above.
  6. How the data will be encrypted (described in such a manner as to protect data security): BRL employs industry standard encryption method and strength for data at rest and in transit.

See the full BioReference Laboratories, Inc. agreement.

Fulgent Genetics, Inc.

  1. The exclusive purposes for which Protected Information will be used, and how students and staff members will benefit from the Contractor’s services: Protected Information will be used by Fulgent Genetics, Inc. (“Fulgent”) for the sole purpose of performing COVID-19 testing under its contractual agreement with New York City Health and Hospitals Corporation.
  2.  How you will ensure that the subcontractors or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your written agreement with the NYC DOE: Fulgent will not utilize any subcontractors for the testing, and will only report COVID-19 test results to the patients (or, if a minor, the parent or guardian), the ordering physician, and public health authorities including the Centers for Disease Control and Prevention, the NYS Department of Health, the NYC Department of Health, and NYC Health + Hospitals’ NYC Test + Trace program as required or permitted by law.
  3. When the written agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: This Agreement is effective October 1, 2020 and will continue for so long as the Contractor will be providing the NYC DOE services with respect to COVID-19 testing. Under the federal Clinical Laboratory Improvement Amendments of 1988 as well as New York state laboratory laws and regulations, Fulgent is required to retain test orders and requisitions, consents to testing, and test results. This Protected Information will be retained in the same secure manner as Fulgent retains information for the approximately 60,000 – 70,000 tests that it performs daily.
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, the Contractor will work with the NYC DOE in processing requests for copies of student Protected Information, and challenges to the accuracy of student data in the custody of the Contractor. Such requests should be directed to studentprivacy@schools.nyc.gov. However, if a parent of a student who was tested wishes to obtain a copy of their child’s laboratory testing records, the request should be directed to Fulgent.
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The Protected Information is stored in the US. Please see question #3 above.
  6. How the data will be encrypted (described in such a manner as to protect data security): Fulgent employs industry standard encryption method and strength for data at rest and in transit.

See the full Fulgent Genetics, Inc. agreement.

Somos Healthcare Inc. D/B/A Somos Community Care

  1. The exclusive purposes for which Protected Information will be used, and how students and staff members will benefit from the Vendor’s services: Protected Information will be used by Vendor, as such is defined within the Agreement, for the sole purpose of performing COVID-19 testing under its contractual agreement with New York City Health and Hospitals Corporation.
  2. How you will ensure that the Vendor or other authorized persons or entities that you will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements required by your written agreement with the NYC DOE: Vendor will provide the Services as detailed within the Specimen Collection Agreement and will only report COVID-19 test results to parents or guardians of the Tested Students, Tested Students over 18 years of age and Tested Staff, as required or permitted by law and will further ensure that all personnel involved in the specimen collection and reporting comply with all confidentiality and privacy obligations equivalent to and no less protective than those found within this Agreement.
  3. When the written agreement with the NYC DOE starts and ends and what happens to Protected Information upon expiration of the agreement: This Agreement is effective October 1, 2020 and will continue for so long as the Contractor will be providing the NYC DOE services with respect to COVID-19 testing. Somos abides by NIST 800-53 controls to as well as applicable New York state laws and regulations to safeguard Protected Information. BioReference Laboratories (“BRL”) under its Agreement with H+H will be required to retain test orders and requisitions, consents to testing, and test results. This Protected Information will be retained in the same secure manner as BRL retains information for the approximately 60,000-70,000 tests that it performs daily. Vendor shall retain any PHI it receives from BRL in accordance with all law and regulation.
  4. If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected: Pursuant to its contractual obligations, Vendor will work collectively with the NYC DOE in processing requests for copies of student Protected Information, and challenges to the accuracy of student data in the custody of the Vendor. Any received requests will be directed to studentprivacy@schools.nyc.gov. However, if a parent of a student who was tested wishes to obtain a copy of their child’s laboratory testing records, the request should be directed to BRL through its portal at patientportal@bioreference.com.
  5. Whether the Protected Information will be stored in the US or outside of the US (and if outside of the US, where), and the security protections taken to ensure such data will be protected (described in such a manner as to protect data security): The Protected Information is stored in the US. Please see question #3 above.
  6. How the data will be encrypted (described in such a manner as to protect data security): Vendor employs industry standard encryption method and strength for data at rest and in transit.

See the full Somos Healthcare Inc. D/B/A Somos Community Care agreement

Back to Top