Attachment A – EU Privacy Notice (Effective, 2018)

Per­son­al Data” means any infor­ma­tion relat­ing to an iden­ti­fied or iden­ti­fi­able nat­ur­al per­son (‘data sub­ject’); an iden­ti­fi­able nat­ur­al per­son is one who can be iden­ti­fied, direct­ly or indi­rect­ly, in par­tic­u­lar by ref­er­ence to an iden­ti­fi­er such as a name, an iden­ti­fi­ca­tion num­ber, loca­tion data, an online iden­ti­fi­er or to one or more fac­tors spe­cif­ic to the phys­i­cal, phys­i­o­log­i­cal, genet­ic, men­tal, eco­nom­ic, cul­tur­al or social iden­ti­ty of that nat­ur­al per­son.

This EU Pri­va­cy Notice applies to Per­son­al Data col­lect­ed by InX­ite Health Sys­tems from indi­vid­u­als who are in the Euro­pean Union (EU) at the time the Per­son­al Data is pro­vid­ed.

InX­ite Health Sys­tems under­stands that your Per­son­al Data, par­tic­u­lar­ly health and employ­ment infor­ma­tion, is sen­si­tive and con­fi­den­tial. InX­ite Health Sys­tems makes every rea­son­able effort to pro­tect your Per­son­al Data.

InX­ite Health Sys­tems will not col­lect Per­son­al Data from you if the col­lec­tion of such Per­son­al Data is in vio­la­tion of your fun­da­men­tal rights as an indi­vid­ual and or minor.

InX­ite Health Sys­tems may cre­ate or main­tain records con­tain­ing Per­son­al Data in con­junc­tion with its patient care and employ­ment-relat­ed activ­i­ties at InX­ite Health Systems’s EU-based oper­a­tions. InX­ite Health Sys­tems may also receive and/or man­age Per­son­al Data for orga­ni­za­tions with­in EU mem­ber coun­tries that InX­ite Health Sys­tems does busi­ness with. InX­ite Health Sys­tems may trans­fer your Per­son­al Data to the Unit­ed States for pro­cess­ing. With respect to the han­dling and pro­tec­tion of your Per­son­al Data, InX­ite Health Sys­tems adheres to the EU GDPR. All InX­ite Health Sys­tems oper­a­tions that have access to Per­son­al Data from an EU mem­ber coun­try shall fol­low this EU Pri­va­cy Notice and oth­er Pri­va­cy rules required under US law (as applic­a­ble), or EU indi­vid­ual provider- based data pro­tec­tion agree­ments.

InX­ite Health Sys­tems is com­prised of a net­work of hos­pi­tals, doc­tors, reha­bil­i­ta­tion ser­vices, skilled nurs­ing ser­vices, home health ser­vices, phar­ma­cy ser­vices, lab­o­ra­to­ry ser­vices and oth­er health care relat­ed ser­vices. Our work­force includes our staff, physi­cians, stu­dents, res­i­dents, trainees, vol­un­teers and oth­ers pro­vid­ing ser­vices with­in or for these facil­i­ties, who may or may not be direct­ly employed by InX­ite Health Sys­tems.

InX­ite Health Sys­tems may process your Per­son­al Data for the busi­ness, treat­ment, pay­ment, or health care oper­a­tions pur­pos­es that this EU Pri­va­cy Notice describes. InX­ite Health Sys­tems takes rea­son­able secu­ri­ty mea­sures to pro­tect your Per­son­al Data from loss, mis­use, and unau­tho­rized access, dis­clo­sure, alter­ation and destruc­tion. These mea­sures include, but are not lim­it­ed to, pass­word pro­tec­tion for online infor­ma­tion sys­tems and restrict­ed access to your Per­son­al Data.

InX­ite Health Sys­tems shall not use your Per­son­al Data in a way that is incom­pat­i­ble with the pur­pos­es for which it has been col­lect­ed unless autho­rized by you. InX­ite Health Sys­tems will also take rea­son­able steps to ensure that Per­son­al Data col­lect­ed is rel­e­vant for its intend­ed use, and is accu­rate, com­plete and cur­rent.

For our Patients — InX­ite Health Sys­tems may cre­ate and main­tain records with Per­son­al Data about your care.

We may col­lect, process and store your Per­son­al Data for pur­pos­es such as:

  • Pro­vid­ing health­care ser­vices to you;
  • Design­ing, imple­ment­ing and/or main­tain­ing patient care and patient-relat­ed infor­ma­tion sys­tems;
  • Main­tain­ing med­ical records (includ­ing tran­scrip­tions, lab­o­ra­to­ry results, diag­nos­tic images and oth­er types of clin­i­cal infor­ma­tion);
  • Per­form­ing gov­ern­ment report­ing; and Con­duct­ing audit­ing, account­ing, finan­cial, qual­i­ty assur­ance and eco­nom­ic and clin­i­cal analy­ses.

With respect to sen­si­tive Per­son­al Data (for exam­ple, polit­i­cal or reli­gious beliefs, union mem­ber­ship, health mat­ters etc.), InX­ite Health Sys­tems will not share such infor­ma­tion except as oth­er­wise described in this Pri­va­cy Notice unless specif­i­cal­ly autho­rized by you. InX­ite Health Sys­tems may dis­close sen­si­tive Per­son­al Data if required to com­ply with the legal process.

Upon request, InX­ite Health Sys­tems will pro­vide you with rea­son­able access to Per­son­al Data that it holds about you and will take rea­son­able steps to per­mit you to cor­rect or amend any Per­son­al Data which is inac­cu­rate or incom­plete. If you want access to your Per­son­al Data, you should pro­vide a writ­ten request to the Data Con­troller and/or Data Pro­tec­tion Offi­cer of the facil­i­ty where you pro­vid­ed your Per­son­al Data.

In addi­tion to the right to access your Per­son­al Data, you also have the fol­low­ing rights:

  • Right to Access
  • Right to Rec­ti­fi­ca­tion
  • Right to Era­sure
  • Right to Restric­tion of Pro­cess­ing
  • Right to Porta­bil­i­ty
  • Right to Object
  • Right not to be sub­ject to a deci­sion base sole­ly on auto­mat­ed pro­cess­ing

For our Work­force — InX­ite Health Sys­tems nor­mal­ly cre­ates and main­tains records with Per­son­al Data about your employ­ment or staff-relat­ed ser­vices.

We may col­lect, process, and store your Per­son­al Data, and/or trans­fer this Per­son­al Data to the U.S. for pur­pos­es such as:

  • man­age­ment and admin­is­tra­tion of employ­ment-relat­ed mat­ters;
  • design­ing and admin­is­ter­ing com­pen­sa­tion, ben­e­fits, and human resource pro­grams;
  • design­ing and imple­ment­ing employ­ment-relat­ed edu­ca­tion and train­ing pro­grams;
  • mon­i­tor­ing and eval­u­at­ing employ­ee con­duct and per­for­mance;
  • main­tain­ing plant and employ­ee secu­ri­ty, health and safe­ty;
  • facil­i­tat­ing com­mu­ni­ca­tions, nego­ti­a­tions, trans­ac­tions, and con­fer­ences; and
  • com­pli­ance with con­trac­tu­al and legal oblig­a­tions.

All Per­son­al Data received and stored by InX­ite Health Sys­tems will be main­tained for no less than the min­i­mum num­ber of years as required by applic­a­ble laws.

For Third Par­ties — InX­ite Health Sys­tems may trans­fer Per­son­al Data to a third par­ty act­ing as its agent (e.g., heath care oper­a­tions, med­ical con­sul­tants, tax advi­sors and pre­par­ers, accoun­tants, audi­tors, lawyers, finan­cial ser­vices and ben­e­fit admin­is­tra­tors) with­out the neces­si­ty to pro­vide addi­tion­al notice to you, as long as InX­ite Health Sys­tems has entered into an appro­pri­ate agree­ment under which such third par­ty is oblig­at­ed to adhere to require­ments at least as restric­tive as those set forth in this EU Pri­va­cy Notice. Per­son­al Data that is trans­ferred shall com­ply with the EU GDPR and any oth­er applic­a­ble EU indi­vid­ual provider- based data pro­tec­tion agree­ments.