Personal Data Protection and Privacy Policy

Personal Data Protection and Privacy Policy

  1. 1. INTRODUCTION
  2. 2. OBJECTIVE
  3. 3. APPLICABILITY
  4. 4. DEFINITIONS
  5. 5. PROCESSING OPERATORS
  6. 6. EPIMED PRODUCTS
  7. 7. DATA COLLECTION, STORAGE, USE AND DESTRUCTION
    1. 7.1 Collection
    2. 7.2  Data Storage
    3. 7.3 Data Usage
    4. 7.4 Data Access
      1. 7.4.1. Epimed Professionals with Data Access
      2. 7.4.2. Production of Reports
      3. 7.4.3. Relationship with Third-Parties
    5. 7.5.  Data Destruction
  8. 8. DATA PROCESSING FLOWCHART
  9. 9. DATA PROTECTION
  10. 10. INCIDENT RESPONSE PLAN
  11. 11. COMMUNICATION
  12. 12. GENERAL PROVISIONS
  13. 13. REVIEW HISTORY

1 - INTRODUCTION

Epimed Solutions (“Epimed”) specializes in solutions for the management of clinical and epidemiological information, which improve the efficiency of hospital care and patient safety.

Epimed has developed software capable of managing clinical information in real time, evaluating the performance and efficiency of hospitals’ ICU, assessing the risk of long-term stay of each patient in the ICU, managing clinical data and quality indicators, monitoring incidents and adverse events in hospitals, among other services (“Epimed System”).

The Epimed System operates by receiving data provided by hospitals, clinics, social health organizations and other health institutions (“Health Institution”), some of which are Personal Data and/or Sensitive Personal Data (“Data”), depending on the software and services hired by hospitals.

In accordance with the General Data Protection Regulation (UE) 2016/679 (“GDPR”) about the protection of Personal Data, the Personal Data and Privacy Policy (“Policy”) was created in order to reaffirm Epimed’s commitment to the best practices in protecting the data received.

2 - OBJECTIVE

Through this Privacy and Data Protection Policy (« Policy »), we inform Epimed System’s users our guidelines on collection, use and any treatment of Personal Data performed directly or indirectly, in the event of using our systems, registration, access or visit to the Platform.

This Privacy Policy intends to be transparent, in order to (i) present the reasons why we treat Personal Data and (ii) explain how we treat Personal Data, in strict compliance with GDPR.

3 - APPLICABILITY

This Policy applies to all Epimed Solutions employees, service providers and contracted third parties.

Data management in accordance with this Policy is the responsibility of all employees and service providers, within the limits of the attributions of each area involved.

3 - DEFINITIONS

For a better understanding of this Policy, it is necessary to understand the following definitions:

  • European Data Protection Supervisor (EDPS): A body whose function is to ensure that the institutions of the European Union observe citizens’ right to privacy when using their data;
  • European Data Protection Board (EDPB): Independent body that assists in the consistent enforcement of Data Protection rules in the European Union by promoting cooperation among the European Data Protection Authorities;
  • Controller: a natural or legal person, governed by public or private law, who is responsible for decisions concerning the processing of Personal Data;
  • Processor: the natural or legal person, governed by public or private law, who processes Personal Data on behalf of the Controller;
  • Personal Data – means any information relating to an identified or identifiable natural person. For the purposes of this Policy, reference to Personal Data shall include Sensitive Personal Data;
  • Special Categories of Data: personal data concerning racial or ethnic origin, religious conviction, political opinion, membership of a trade union or of a religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data when linked to a natural person;
  • Data Protection Officer: person appointed by the Controller and Processor to act as a communication channel between the Controller, the Data Subjects and the National Data Protection Authority;
  • The General Data Protection Regulation 2016/679 was created in 2018. It is a European law regulation on privacy and personal data protection, applicable to all individuals in the European Union and European Economic Area. It also regulates the export of personal data outside the EU (European Union) and EEA (European Economic Area);
  • Data Subject: the natural person to whom the Personal Data that are processed relate;
  • Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and
  • User: person who accesses the System or interacts with Epimed’s website.

5 - PROCESSING OPERATORS

Epimed, as the Data Processor, will perform the Processing of Data provided by Health Institutions according to its instructions and in compliance with GDPR.

We assume the position of Data Controller when we are responsible for decisions regarding the processing of Personal Data, such as, for example, in the existing relationship between Epimed and its employees by virtue of the signed employment contract.

In compliance with GDPR, Epimed appointed a Data Protection Officer (DPO) who is the person responsible for the management of the privacy program and to be the bridge between Health Institutions and Epimed or between Data Subjects and Epimed concerning Data Treatment.

The Chief Protection Officer (CPO), in turn, was appointed as the person responsible for making the necessary investments in the privacy program, as well as for carrying out all communication directed to the National Data Protection Authority.

6 - EPIMED PRODUCTS

Below are described the Products offered by Epimed, as well as the purpose and type of processing performed by each one of them.

 

Software Purpose Treatment Type
Epimed ICU Monitor (Adult and NeoPed) Software used to manage clinical information and epidemiological profile in real time in hospital ICUs;

 

Access to key specialized scores for stratification of patient severity;

 

Evaluation of ICU performance and efficiency through risk-adjusted measures (efficiency matrix, standardized mortality and resource utilization rates);

 

Bedside monitoring of adherence to best care practices and prevention of adverse events and health related infections using checklists and bundles;

 

Assessment of the intensity of patients’ nursing care needs to optimize the allocation of human resources in the ICU; and

 

ICU clinical indicators for the hospital accreditation process.

Collecting, receiving, storing, accessing, processing, using, evaluating, monitoring, reporting, and disposing of Data.
Hospitalization Beds – Open Units Software used for clinical information management and epidemiological profiling. Collecting, receiving, storing, accessing, processing, using, evaluating, monitoring, reporting, and disposing of Data.
Performance Evaluation of the risk of long stay of each patient in the ICU, calculating, on the first day, the individual estimates of length of stay and the probability of long stay in the ICU through exclusive predictive analysis algorithms, developed by Epimed. Evaluation and report generation based on the Data collected by the ICU system and disposal of the information.
CCIH It allows real-time management of hospital infection control indicators in health institutions. Collecting, receiving, storing, accessing, processing, using, evaluating, monitoring, reporting, and disposing of Data.
Patient Safety It allows real-time management of adverse incidents/events in health institutions. Collecting, receiving, storing, accessing, processing, using, evaluating, monitoring, reporting, and disposing of Data.
Nursing Activities Score (NAS) Estimates the nursing workload according to the characteristics of inpatients and the use of resources in ICUs. Collecting, storing, reporting on the collected data, and disposing of it.

7 - DATA COLLECTION, STORAGE, USE AND DESTRUCTION

7.1. Collection

Epimed only collects patient Data strictly necessary to provide services offered by Epimed System, according to the standards established by GDPR.

Health Institutions are responsible for sending Data to the Epimed System. The inclusion of patient information in the Epimed System platforms can be performed, directly and manually, by the authorized personnel to access the Epimed System indicated by the Health Institutions (“Users“).

Users can choose to utilize an integration procedure offered by Epimed, through which the patient Data is collected, by filling out a form, and, subsequently, Epimed performs its inclusion in the Epimed System.

Each User, through an Epimed System tool, will adhere to the Privacy Policy of the Epimed System Users.

7.2. Data Storage

After being collected and received by Epimed, Data are stored in a safe cloud environment managed by Epimed’s internal Information Technology team, protected according to good security practices against invasions, leaks, and deletion of Data.

The database is protected by adopting the controls and procedures adopted in item 9 of this manual and in the policies mentioned therein.

7.3. Data Usage

Data shall be used by Epimed according to the type of Product hired by the Health Institution and exclusively to meet the purposes described in Chapter 6 above.

The processing of personal data shall be done in a transparent, lawful, and fair manner, and all records shall be kept by Epimed in the systems involved.

7.4. Data Access

Each Health Institution has direct access only to its own Data, and only the Users duly registered by the Health Institution are authorized to access them.

Besides processing patient Data from the Health Institutions, Epimed also needs to collect, store, use and discard Personal Data from Epimed System’s Users to ensure that only authorized people have access to its platforms.

When starting its contractual relationship with Epimed, the Health Institution must share the information of a representative appointed as responsible for the approval and registration of the other employees of the Health Institution who may have access to the Epimed System at that institution. (“User in Charge”).

Once the User in Charge is registered, the Health Institution becomes solely responsible for allowing new users to the Epimed System.

The User in Charge is responsible for delegating access to Epimed’s services, as well as the scope of permission that new users will have in the Epimed System.

In order to register new Users, the User in Charge must make the name and e-mail data of this User available on the Epimed System.

All Users must accept all the terms and conditions of the Privacy Policy, consenting to the use of their Data by Epimed to be able to have access to the Epimed System.

Health Institutions must inform Epimed in cases of need to disconnect any User from the Epimed System so that this User’s credentials are deactivated. All mechanisms and precautions for the protection of collected patient Data also apply to the Epimed System Users’ Personal and/or Special Categories of Data held by Epimed.

7.4.1. Epimed Professionals with Data Access

Epimed grants restricted and limited access to certain Epimed employees to ensure support and proper functioning, maintenance, correction and protection of the Epimed System.

Employees with access to the database fully adhere to Epimed’s confidentiality policy by signing the Epimed Code of Ethics and Conduct.

7.4.2. Production of Reports

The Health Institution may generate reports related to the type of contracted Product listed in item 6 above.

The reports generated by Epimed, as a rule, do not reproduce Personal and/or Special Categories of Data, constituting only statistics in relation to the events that occurred within the Health Institutions, disregarding the personal identification of patients.

All reports generated by Epimed System are able to identify the User who produced them, ensuring better control of Data circulation.

7.4.3. Relationship with Third-Parties

Epimed only uses third-party services for the storage of physical servers where Epimed’s system environments work.

Epimed does not use other entities to provide the service contracted by Health Institutions.

It is important to mention that Epimed annually hires external audit companies to check and validate its information security system. Besides, a revalidation is performed every 3 (three) months as part of the annual audit project.

The sending of information to third parties can only occur in the following cases: (i) according to the applicable law, (ii) in compliance with legal obligations/judicial orders, or (iii) to respond to public or governmental authorities’ requests.

7.5.  Data Destruction

The Data stored in the Epimed database will be disposed of if ordered by the Health Institutions or, in the case of termination of the contractual relationship between Epimed and the Health Institution. The Health Institution will receive a copy of its database, and the destrction is performed in compliance with the GDPR.

Epimed will dispose of the Data within sixty (60) days after the proper request for disposal of the Data by the Health Institution or after the termination of the contract unless the Health Institution or Controller expressly requests for the Data to be kept in the Epimed System database.

We dispose of Data securely, as provided for in the GDPR, by using physical deletion method in Epimed database. After deletion, the Data will be rendered unrecoverable after thirty (30) days.

8 - DATA PROCESSING FLOWCHART

8.	FLUXOGRAMA DO TRATAMENTO DE DADOS

9 - DATA PROTECTION

Epimed makes every effort to protect the confidentiality of the Data, adopting the best information security practices for the traffic and storage of data and information, including, but not limited to:

  • The adoption of good security practices, described in Epimed’s Information Security Policy and in ISO 27001, ISO 27701 and ISO 27799 standards, the latter focused on specific controls for the protection of personal health information;
  • Secure data storage, through the adoption of encryption throughout your database;
  • Risk management, including the mapping of information and Data exchange interfaces between Epimed users, and other measures provided for in Epimed’s Information Security Risk Management Policy;
  • Adherence to the rules regarding international data transfer, in order to follow good market practices;
  • Monitoring and cybersecurity security alerts;
  • The segregation of access profiles, so that access to information and data will be restricted to certain access profiles defined by Infrastructure Management, as described in Epimed’s Information Security Policy; and
  • Periodic external information security audit based on ISO 27001, ISO 27701 and ISO 27799 standards.

In addition to the data protection measures mentioned above, Epimed’s Privacy Program also includes the guidelines described in the Information Security Policy, Software Safe Development Policy, and Information Security Risk Management Policy.

10 - INCIDENT RESPONSE PLAN

Notwithstanding the preventive measures for Data protection, Epimed has an Incident Response Plan, whose purpose is to establish guidelines for the management of responses to possible incidents of violation and leakage of Personal Data that may occur, in order to meet the requirements of the legislations on data protection of the countries with which Epimed maintains commercial relations, ensuring the mitigation of risks and eventual damages caused to the Data Subjects.

11 - COMMUNICATION

If you have any questions about this Policy, your rights, or how to exercise them, you can contact the Data Protection Officer at dataprotection@epimedosolutions.com or through Epimed Solutions’ Confidential Channel, available at the website. Epimed will make every effort to fulfill the requests in the shortest possible time, observing GDPR and applicable laws.

12 - GENERAL PROVISIONS

This document must be revised every 1 (one) year or whenever necessary to adapt it to the current legislation and the GDPR.

13 - REVIEW HISTORY

Review Date Reason Responsible Expiration date
00 07.20.2018 Starter Version Veirano Advogados Law Office 24.06.2022
01 06.24.2022 First review Stephanie B. Schemes 24.06.2022
02 03.29.2023 Second Review Stephanie B. Schemes 29.03.2023

 

Date of Review Elaboration Version: Elaborated by: Review/Position Approvals
03/29/2023 3.0 Stephanie B. Schemes  Carlos Reis – Carlos Reis
– Bruno Stefan
– Stephanie Schemes