EU PATIENT PRIVACY NOTICE PURSUANT TO THE GENERAL DATA PROTECTION REGULATION
When this Notice Applies
This EU Privacy Notice applies to Personal Data controlled by Thomas Jefferson University on behalf of itself and its controlled affiliates, including but not limited to Thomas Jefferson University Hospitals, Inc., Jefferson University Physicians, Abington Hospital, Abington Lansdale Hospital, Abington Health Physicians, Aria Health, Aria Health Physician Services, Kennedy University Hospital, Inc., Kennedy Medical Group Practice, P.C. and Magee Rehabilitation Hospital (collectively “Jefferson Health”) and relating to individuals who are in the European Union (EU) at the time the Personal Data is provided to Jefferson Health:
- During the course of Jefferson Health’s offering goods or services to individuals in the EU; and
- While Jefferson Health is monitoring the behavior or health of individuals in the EU.
Personal Data We Collect
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes “Special Category Personal Data” about patients, which is Personal Data that includes information relating to health, sexual life, racial or ethnic origin or religious beliefs. The general categories of Personal Data that Jefferson Health collects and processes include the following:
- Telephone numbers
- Email addresses
- Identification numbers including but not limited to social security numbers and driver’s license numbers
- Personal identification numbers or medical record numbers, created and used by Jefferson Health
- Demographic information, including residential information
- Emergency contact information
- Financial information and family financial information including credit and debit-card numbers, tax information, financial aid information, and insurance and benefits information
- Transaction history
- Business information
- Passport and visa information
- Insurance information
- Location information
- Palm images from scanning equipment
The general categories of Special Category Personal Data that Jefferson Health collects and processes include the following:
- Medical history and treatment information, including notes and reports about medical and health conditions, test results and x-rays, drug and medication history
- Family medical history information
- Disability information
- Biometric and genetic information
- Race, ethnicity and religion
- Protective orders, guardianship or similar records
Where We Obtain Personal Data
We may obtain Personal Data and Special Category Personal Data directly from the individual to whom it relates, or we may obtain such data from a patient or potential patient’s physician, hospital or other treatment center or medical professional, social worker, relatives or other relevant persons. We may also obtain Personal Data from public sources and third parties, e.g. vendors working on collections.
Is Providing Personal Data a Requirement?
It is important for us to have as complete as possible records of patient medical history and relevant personal history in order to deliver appropriate treatment and care in accordance with patient needs. Providing Personal Data – including Special Category Personal Data – is therefore necessary to monitor health or provide treatment pursuant to our contracts with our patients, or to enter into such contracts, as well as for regulatory purposes, and failure to provide such data may mean that we are unable to provide monitoring or treatment services. (We will inform individuals whenever providing Personal Data or Special Category Personal Data is necessary and what the impact will be if such data is not provided.)
Justification and Reasons why we Process Personal Data
Whenever we process Personal Data, we do so on the basis of a lawful "justification" (or legal basis) for processing. Processing of Special Category Personal Data is always justified by an additional condition.
- Performing a Contract. Processing Personal Data and Special Category Personal Data may be necessary to provide treatment or monitor health or behavior pursuant to a contract, such as: Providing healthcare services which may include liaising with other health care service providers and sharing via health information exchanges; scheduling appointments and exams; liaising with insurers and benefits providers; maintaining medical records (including transcriptions, laboratory results, diagnostic images and other types of clinical information); billing and collecting fees;
- Our Legitimate Interests. In some cases, processing Personal Data and Special Category Personal Data is in our legitimate interests as a healthcare provider and our interests are not overridden by your interests, fundamental rights or freedoms. This processing is conducted for: Designing, implementing and/or maintaining patient care and patient-related information systems; performing mandatory government reporting; conducting auditing, accounting, financial, quality assurance and economic and clinical analyses; creating and maintaining records about patient care and treatment; fundraising;
- Public Interest. In some cases, processing Personal Data, including Special Category Personal Data, may be necessary to perform a task carried out in the public interest or for reasons of substantial public interest.
- Consent. When processing Special Category Personal Data, we may ask for and justify processing by obtaining explicit consent, such as a specific authorization form that must be signed by the patient or his or her guardian. We also will obtain explicit consent to transfer Personal Data and Special Category Personal Data to the U.S.;
- Vital Interests. In rare cases, processing Special Category Personal Data may be necessary to protect an individual’s vital interests (or those of another person) in circumstances where the individual is physically or legally incapable of giving consent.
When the justification for processing is our legitimate interests, those interests are to take necessary steps (which includes the collection, processing and maintenance of accurate and complete health and other information) to enable the delivery of the best possible care and treatment to patients.
Where we Process Personal Data
Jefferson Health is based in the United States and is subject to United States and Pennsylvania, New Jersey and Delaware laws, and possibly other state jurisdictions. Personal Data will generally be hosted on US servers. The U.S. does not benefit from a finding by the European Commission (an “adequacy decision”) that U.S. law affords adequate protections to Personal Data. To the extent that Jefferson Health needs to transfer Personal Data either (a) from the EEA to the U.S. or another country or (b) from the U.S. to another country, Jefferson Health will do so on the basis of either (i) an “adequacy decision” by the European Commission; (ii) EU-sanctioned “appropriate safeguards” for transfer such as model clauses, a copy of which may be requested, if applicable, by contacting Jefferson Health as set forth at firstname.lastname@example.org; (iii) explicit and informed consent; or (iv) it being necessary for the performance of a contract or the implementation of pre-contractual measures with Jefferson Health.
TJU, on its own or through third-party vendors, occasionally uses first-party and third-party cookies together to inform, optimize and serve content and ads based on your past visits to our Site. The techniques TJU’s third-party vendors employ do not collect any personal data.
Our Site uses Google Analytics to help us understand, in aggregate, the age, gender and interests of Site visitors. This tool does not reveal to TJU your name or other identifying data. TJU does not combine the data collected through use of Google Analytics with personally identifiable data. The data received from Google Analytics is used only to improve our Site and the type of data displayed to Site visitors, so we can better serve those interested in TJU.
TJU works with an advertising agency and occasionally hires other companies to provide services on our behalf, for example, to register for events. TJU will provide these companies only with the data they need to deliver the services, and they are contractually prohibited from using that data for any other purpose.
Certain visitors to TJU websites choose to interact with the site in ways that gather personally-identifying information. The amount and type of information gathered depends on the nature of the interaction. For example, when registering for an event, users are required to enter their registration information. In these cases, we collect such information only as it is necessary or appropriate to fulfill the purpose of the visitor’s interaction with TJU. TJU does not does not disclose personally-identifying information and visitors can always refuse to supply personally-identifying information, with the caveat that it may prevent them from engaging in certain website-related activities.
At any time while accessing our Site, any visitor may decline participation in any activity that would require providing data. Your decision not to participate will not affect your ability to use any other feature on our Site or receive services from TJU.
TJU offers you opportunities to engage in blogs, and social networks - such as Facebook and Twitter -that are designed to be visible to other users, including any comments and postings that you make. You should be aware that any personally identifiable data you choose to submit via those media can be read, collected, and used by other participants and could be used to send you unsolicited messages. We are not responsible for the personally identifiable data you choose to submit when you engage in such activities.
Sharing Personal Data
Jefferson Health is comprised of a network of hospitals, doctors, rehabilitation services, skilled nursing services, home health services, pharmacy services, laboratory services and other health care related services. Our workforce includes our staff, physicians, students, residents, trainees, volunteers and others providing services within or for these facilities, who may or may not be directly employed by Jefferson Health.
Jefferson Health shares Personal Data (including Special Categories of Personal Data) with our network and workforce, but only as strictly necessary for the business, treatment, payment, or health care operations purposes that this EU Privacy Notice describes.
Jefferson Health may also share Personal Data with third parties (e.g., heath care operations, medical consultants, tax advisors and preparers, accountants, auditors, lawyers, financial services and benefit administrators or other similar agreements). Where required, Jefferson Health has entered into appropriate data processing or data transfer agreements with these third parties.
Jefferson Health may disclose Personal Data (including Special Category Personal Data) if required to comply with the legal process.
Jefferson Health shall not use Personal Data in a way that is incompatible with the purposes for which it has been collected unless authorized by the individual to whom the Personal Data relates. Jefferson Health also will take reasonable steps to ensure that Personal Data collected is relevant for its intended use, and is accurate, complete and current.
Rights Concerning Personal Data
The rights described below apply to all Personal Data, including Special Category Personal Data.
The Right of Access
You have the right to request that Jefferson Health confirm whether it is processing your Personal Data. If Jefferson Health is processing your Personal Data, you have the right to view that Personal Data, and Jefferson Health will provide you with a copy of that Personal Data unless prevented by applicable law.
The Right of Correction
You have the right to request that Jefferson Health correct any inaccurate Personal Data that it maintains about you. You also have the right to request that Jefferson Health complete any incomplete Personal Data that it maintains about you, when that could be accomplished by incorporating a supplementary statement that you submit. If Jefferson Health concurs that the Personal Data is incorrect or incomplete, Jefferson Health will promptly correct or complete it.
The Right to Erasure
You have the right to request the erasure of Personal Data that Jefferson Health maintains about you in certain circumstances. These circumstances are identified in Article 17 of the GDPR and include that the Personal Data is no longer necessary in relation to the purpose(s) for which it was collected.
Subject to applicable U.S., state, and EU law, and Jefferson Health policies, including but not limited to its Notice of Privacy Practices, and provided that there are no overriding legitimate grounds for Jefferson Health to retain the Personal Data, Jefferson Health will comply with the request with respect to any Personal Data retained by Jefferson Health and will take reasonable steps to inform any third parties with whom the Personal Data was shared.
The Right to Restrict Processing of Personal Information
You have the right to request that Jefferson Health restrict the processing of your Personal Data where one of the reasons identified in Article 18 of the GDPR applies. These reasons include that the Personal Data is inaccurate, the processing is unlawful, or Jefferson Health no longer needs the Personal Data but you require it to establish, exercise or defend a legal claim.
If Jefferson Health grants your request to restrict processing, Jefferson Health will only process that Personal Data with your consent, for the protection of the rights of another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable US, state, or EU law.
The Right to Data Portability
Where the justification for processing is either consent or performance of a contract between you and Jefferson Health, and where the processing is carried out by automated means, you have the right to receive your Personal Data that you have provided to Jefferson Health. Jefferson Health will provide the Personal Data in a structured, commonly used, and machine-readable format. Where technically feasible and upon your request, Jefferson Health will transmit the Personal Data directly to another entity.
The Right to Withdraw Consent
If the basis for processing your Personal Data is consent, you may revoke your consent at any time. Upon receipt of your notice withdrawing consent, and if there are no other justifications for the processing, Jefferson Health will stop processing the Personal Data unless the processing is necessary for the establishment, exercise, or defense of legal claims. Revoking consent does not affect the lawfulness of processing that occurred before the revocation.
The Right to Object to Processing
In certain situations, you may have the right to object to processing of your Personal Data.
- Public Interest or Legitimate Interests. If the justification for processing your Personal Data is public interest or legitimate interests, you have the right to object to processing the Personal Data. Jefferson Health will cease processing unless it demonstrates overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.
- Direct Marketing. If Jefferson Health is using your Personal Data for direct marketing purposes such as fundraising, you have the right to object at any time, and Jefferson Health will stop using your Personal Data for that purpose.
The Right to File a Complaint
You have the right to submit a complaint with an EU supervisory authority, in particular the one in the EU Member State of your habitual residence, place of work, or place of the alleged violation, if you believe that Jefferson Health’s processing of your Personal Data violates the GDPR.
For more information on the process for submitting a complaint, consult the relevant EU supervisory authority.
Retention of Personal Data
All Personal Data received and stored by Jefferson Health will be maintained for no less than the minimum number of years as required by applicable laws. For example, hospitals must maintain patient records for ten (10) years and physician practices must maintain patient records for seven (7) years; some financial records must be maintained for accounting and audit purposes for a minimum of seven (7) years. At times, there are other laws or regulations that require Jefferson Health to maintain records longer, for example, newborn records are maintained for a minimum of twenty-five years under Pennsylvania regulations.
Jefferson Health takes reasonable security measures designed to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration and destruction. These measures include, but are not limited to, password protection for online information systems and restricted access to your Personal Data.
How to Exercise Rights
To exercise the rights set forth above, or to submit questions or concerns regarding the use or disclosure of Personal Data, contact the Data Protection Officer of Jefferson Health via mail at: The Privacy Office, 834 Chestnut Street, Suite 400, Philadelphia, PA 19107; or via email at email@example.com or via phone by calling + 1-833-391-2547. Exercise of these rights provides access to a process but does not guarantee any particular outcome.