Attachment A – EU Privacy Notice (Effective, 2018)
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
This EU Privacy Notice applies to Personal Data collected by InXite Health Systems from individuals who are in the European Union (EU) at the time the Personal Data is provided.
InXite Health Systems understands that your Personal Data, particularly health and employment information, is sensitive and confidential. InXite Health Systems makes every reasonable effort to protect your Personal Data.
InXite Health Systems will not collect Personal Data from you if the collection of such Personal Data is in violation of your fundamental rights as an individual and or minor.
InXite Health Systems may create or maintain records containing Personal Data in conjunction with its patient care and employment-related activities at InXite Health Systems’s EU-based operations. InXite Health Systems may also receive and/or manage Personal Data for organizations within EU member countries that InXite Health Systems does business with. InXite Health Systems may transfer your Personal Data to the United States for processing. With respect to the handling and protection of your Personal Data, InXite Health Systems adheres to the EU GDPR. All InXite Health Systems operations that have access to Personal Data from an EU member country shall follow this EU Privacy Notice and other Privacy rules required under US law (as applicable), or EU individual provider- based data protection agreements.
InXite Health Systems is comprised of a network of hospitals, doctors, rehabilitation services, skilled nursing services, home health services, pharmacy services, laboratory services and other health care related services. Our workforce includes our staff, physicians, students, residents, trainees, volunteers and others providing services within or for these facilities, who may or may not be directly employed by InXite Health Systems.
InXite Health Systems may process your Personal Data for the business, treatment, payment, or health care operations purposes that this EU Privacy Notice describes. InXite Health Systems takes reasonable security measures to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration and destruction. These measures include, but are not limited to, password protection for online information systems and restricted access to your Personal Data.
InXite Health Systems shall not use your Personal Data in a way that is incompatible with the purposes for which it has been collected unless authorized by you. InXite Health Systems will also take reasonable steps to ensure that Personal Data collected is relevant for its intended use, and is accurate, complete and current.
For our Patients — InXite Health Systems may create and maintain records with Personal Data about your care. We may collect, process and store your Personal Data for purposes such as:
Providing healthcare services to you;
Designing, implementing and/or maintaining patient care and patient-related information systems;
Maintaining medical records (including transcriptions, laboratory results, diagnostic images and other types of clinical information);
Performing government reporting; and Conducting auditing, accounting, financial, quality assurance and economic and clinical analyses.
With respect to sensitive Personal Data (for example, political or religious beliefs, union membership, health matters etc.), InXite Health Systems will not share such information except as otherwise described in this Privacy Notice unless specifically authorized by you. InXite Health Systems may disclose sensitive Personal Data if required to comply with the legal process.
Upon request, InXite Health Systems will provide you with reasonable access to Personal Data that it holds about you and will take reasonable steps to permit you to correct or amend any Personal Data which is inaccurate or incomplete. If you want access to your Personal Data, you should provide a written request to the Data Controller and/or Data Protection Officer of the facility where you provided your Personal Data. In addition to the right to access your Personal Data, you also have the following rights:
Right to Access
Right to Rectification
Right to Erasure
Right to Restriction of Processing
Right to Portability
Right to Object
Right not to be subject to a decision base solely on automated processing
For our Workforce — InXite Health Systems normally creates and maintains records with Personal Data about your employment or staff-related services. We may collect, process, and store your Personal Data, and/or transfer this Personal Data to the U.S. for purposes such as:
management and administration of employment-related matters;
designing and administering compensation, benefits, and human resource programs;
designing and implementing employment-related education and training programs;
monitoring and evaluating employee conduct and performance;
maintaining plant and employee security, health and safety;
facilitating communications, negotiations, transactions, and conferences; and
compliance with contractual and legal obligations.
All Personal Data received and stored by InXite Health Systems will be maintained for no less than the minimum number of years as required by applicable laws.
For Third Parties — InXite Health Systems may transfer Personal Data to a third party acting as its agent (e.g., heath care operations, medical consultants, tax advisors and preparers, accountants, auditors, lawyers, financial services and benefit administrators) without the necessity to provide additional notice to you, as long as InXite Health Systems has entered into an appropriate agreement under which such third party is obligated to adhere to requirements at least as restrictive as those set forth in this EU Privacy Notice. Personal Data that is transferred shall comply with the EU GDPR and any other applicable EU individual provider- based data protection agreements.