Privacy Procedure SOP-031. Version: 04.01

Transcription

1 SOP-031 Version: Effective Date: 01-Mar-2017

2 Table of Contents 1. DOCUMENT HISTORY APPROVAL STATEMENT PURPOSE SCOPE ABBREVIATIONS PROCEDURES COLLECTION OF PII USE AND MAINTENANCE OF PII ACCIDENTAL EXPOSURE OF PII RIGHTS OF INDIVIDUALS MAINTAINING APPROPRIATE SECURITY DISCLOSURE OF PII TRAINING AND MONITORING COMPLIANCE AND WAIVERS COMMUNICATION OF ISSUES HIPAA AND HITECH AWARENESS HIPAA HITECH SCOPE PENALTIES PRIVACY SHIELD INTRODUCTION DECLARATION OF COMMITMENT EU INDIVIDUALS RIGHTS AND LEGAL REMEDIES PURPOSE LIMITATION COOPERATION WITH THE US DEPARTMENT OF COMMERCE TRANSPARENCY RELATED TO ENFORCEMENT ACTIONS ANNUAL REVIEW ONWARD TRANSFERS EU MODEL CONTRACT CLAUSES EU REGULATIONS 2016/679 AND 2016/ SAFE HARBOR RULING OF File: SOPS Privacy Procedure.doc Page 2 of 13

3 1. Document History Version Issue Date Authors Summary of Changes Oct-2013 Uwe Trinks First issuance Nov-2013 Eric M. Stroud Updated per S.003 to include Section 4, the mandatory affirmative statement from U.S. Department of Commerce / International Trade Administration Dec-2015 Eric M. Stroud Updated per S.039 to remove Safe Harbor provisions. Added Section 7 to define HIPAA and HITECH. Added Section 8 to discuss Safe Harbor ruling. Named policy to procedure Nov-2016 Eric M. Stroud Updated per CA-326 to define US-EU Privacy Shield principles (Section 8). Consolidated Form-530 into the procedure body. Included new EU Directives (Section 10) and EU Model Contract Clauses (Section 9) Feb-2017 Eric M. Stroud Added Section 8.8 for clarification of liability of onward transfers by request from ITA/PrivacyShield.gov Case # SIGNATURES ON FILE PARSIPPANY, NJ Dr. Eric M. Stroud Author, Quality Assurance Date 2. Approval Statement The undersigned agree that the information detailed in this document accurately describes Foresight s Privacy Procedure. Dr. Uwe Trinks Privacy Officer Date Stephen A. Wright Partner in Charge of Quality Date File: SOPS Privacy Procedure.doc Page 3 of 13

4 3. Purpose The purpose of this document is to define Foresight s policy towards processing, storing and distribution of Personally Identifiable Information (PII) or Individually Identifiable Health Information (Protected Health Information, PHI). This policy is written in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Background; the Standards for Privacy of Individually Identifiable Health Information; Final Rule (45 CFR Part 160 and Subparts A and E of Part 164) as part of the Health Insurance Portability and Accountability Act (HIPAA); the Federal Policy for the Protection of Human Subjects and the FDA s human subject protection regulations (21 CFR Part 50 and 56). PII might be processed or accessed in a variety of business and commercial context that include (i) sales and marketing, (ii) human resources and employee management and (iii) Foresight client applications. Foresight does not, per se, create or collect sensitive personal information in client applications. Foresight may create or collect personal information as part of its business of implementing, validating and hosting global drug safety and risk management systems, and Foresight will be exposed to such information collected and processed by its clients. Foresight will therefore apply with all the necessary global requirements and applicable law protecting such data and will take any necessary precautions to prevent accidental disclosure of such data. Where local laws or regulations governing PII impose more stringent protections than arise under this policy, Foresight must comply with such laws and regulations. 4. Scope Personally Identifiable Information (PII) refers to information that identifies, or could be used to identify, an individual. For purpose of this policy, PII shall include Sensitive Personally Identifiable Information (SPII) and its subset Protected Health Information (PHI) and exclude information that Foresight cannot reasonably attribute to a particular individual without a disproportionate amount of time, effort or expense. This policy applies to all Foresight legal entities worldwide, all Foresight staff and all third parties processing or accessing PII on Foresight s behalf. 5. Abbreviations Abbreviation CFR FDA HIPAA HITECH Definition (United States) Code of Federal Regulations (United States) Food and Drug Administration Health Insurance Portability and Accountability Act Health Information Technology for Economic and Clinical Health File: SOPS Privacy Procedure.doc Page 4 of 13

5 Abbreviation PHI PII SOP SPII Definition Protected Health Information, subset of PII relating to health information. Personally Identifiable Information, information that identifies or could be used to identify an individual. Standard Operating Procedure Sensitive Personally Identifiable Information, subset of PII relating to an individual s race or ethnicity, political opinions, religious or philosophical beliefs, trade union memberships, commission of criminal offenses, health, sex life or sexual orientation, government issued identification numbers, credit or debit card details or any other PII whose unauthorized acquisition, use, modification, loss or disclosure presents a greater risk of harm to the relevant individual. 6. Procedures Each Foresight member is individually responsible for the confidentiality and security of PII and for complying with this policy when processing or accessing PII in connection with their normal work activities. Each Foresight member is also responsible for ensuring that third party members who process or access PII on behalf of Foresight comply with this policy. This SOP defines the procedures that are designed to assure that collection, use and maintenance, and incident reporting are in compliance with all applicable laws and defines the procedures for training, monitoring compliance and waivers. Security of PII is covered in SOP SOPS-018 Foresight Security Procedure. Foresight Partners and Senior Membership are responsible for enforcing compliance with this policy by all members and third party suppliers. The Foresight Privacy Officer is responsible for implementing additional policies, procedures, practices or forms as may be required to comply with this policy. Each Foresight member shall promptly notify local Foresight management if it appears that this policy conflicts with any local legal or regulatory obligations. If local Foresight management verifies that a conflict exists, they shall subsequently notify the Foresight Privacy Officer. 6.1 Collection of PII Foresight staff must only collect the minimum amount of PII necessary to serve specific, legitimate business purposes, including commercial and legal purposes. Where such purposes allow, Foresight staff must rely on information that does not identify individuals rather than PII. Foresight staff must collect PII by fair and lawful means. Where required or practicable, Foresight staff must furnish information to individuals about the types of PII collected relating to them, the purposes for which PII is used, any rights the individual may have in and to the PII, disclosures of the PII to third parties, and other relevant information. Foresight staff may not need to furnish the above information if all of the following requirements are met: (i) a specific, legitimate business purpose exists, (II) only the minimum File: SOPS Privacy Procedure.doc Page 5 of 13

6 amount of PII is collected and (iii) the PII is a matter of public record or is otherwise in the public domain. Foresight must obtain an individual s informed and voluntary consent to process their information where it is necessary or appropriate to do so. 6.2 Use and Maintenance of PII Prior to use of any PII, Foresight staff must ensure that any intended use of the PII serves a specific business purpose and must be in compliance with this policy and applicable law. Foresight staff must maintain the integrity and accuracy of the PII that is processed and correct or amend any PII that it finds incorrect. PII collected for a specific business purpose must not be processed by Foresight staff for subsequent, incompatible purpose without the prior consent of the individual or unless otherwise permitted or required by applicable law. 6.3 Accidental Exposure of PII As part of its business of implementing, validating and hosting global drug safety and risk management systems, Foresight staff might be exposed to PII information collected and processed by its clients. Accidental exposure to PII information, not related to the tasks described above or any accidental loss of such information requires immediate notification of the Privacy Officer. 6.4 Rights of Individuals Where required by law or where practicable, Foresight staff must provide individuals with access to, or information about, PII collected by Foresight related to them, and must allow an individual s request to delete or correct incorrect information. Such requests for information hosted by Foresight, but collected and processed by one of its clients, must be satisfied by the client. Foresight staff must seek a prompt and fair resolution of any complaints brought by individuals related to the processing of PII, as well as cooperate with authorities and regulators resolving such complaints. The Privacy Officer has to be notified about any such complaint. 6.5 Maintaining Appropriate Security Foresight must implement safeguards to prevent the occurrence of Security Incidents involving PII. Safeguards are described in SOP SOPS-018 Foresight Security Procedure. The safeguards must correspond to the sensitivity of PII (e.g. SPII or PHI require a higher level of security). Foresight staff must ensure that PII is only processed or accessed by authorized Foresight staff or third party suppliers and that such processing or access is consistent with their roles and responsibilities. Foresight staff must promptly report Security Incidents in accordance with SOP SOPS-018 Foresight Security Procedure. Foresight staff must retain PII as long as necessary to fulfill its specific business purpose and then must delete, destroy or anonymize PII as promptly and securely as possible in File: SOPS Privacy Procedure.doc Page 6 of 13

7 compliance with client contracts or SOP SOPS-017 Document Retention Procedure. 6.6 Disclosure of PII Foresight staff must only disclose PII to other third parties where specifically authorized to do so and in compliance with applicable laws. Foresight staff must not transfer of any Foresight client data containing PII from Foresight premises or data centers without a signed and approved Data Transfer Agreement. Prior to international transfer of PII data, Foresight staff must assure that the protection to PII applies to the laws and regulations in the country of origin, except where the transfer is based on a legal exception found in applicable laws. 6.7 Training and Monitoring Foresight staff must be trained in the proper implementation of this procedure. Periodic reviews must be conducted to ensure compliance with this policy. 6.8 Compliance and Waivers All Foresight staff must acknowledge the Computer and Information Usage Agreement, found at Appendix 1 of this Privacy Procedure. The completion of training on this Privacy Procedure provides acknowledgement of the Computer and Information Usage Agreement via an electronic signature in Foresight s Learning Management System. Any requirement in this policy may be waived conditionally on a case-by-case basis in exceptional circumstances with written authorization form the Privacy Officer. If approved these exceptions must be recorded by the Privacy Officer and communicated to all relevant Foresight staff and third party providers. 6.9 Communication of Issues All questions or concerns regarding the implementation of this policy must be directed to local Foresight management or directly to the Privacy Officer. 7. HIPAA and HITECH Awareness 7.1 HIPAA HIPAA is the United States federal Health Insurance Portability and Accountability Act of HIPAA enforcement occurs via the following rules: The HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; File: SOPS Privacy Procedure.doc Page 7 of 13

8 7.2 HITECH The HIPAA Security Rule, which sets national standards for the security of electronic protected health information; The HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and, The confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety. Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate. Breach notification requirements may be found at the United States Health and Human Services website. The United States Health Information Technology for Economic and Clinical Health Act (HITECH) builds on HIPAA to strengthen the rules designed to protect the privacy and security of health-related data. The HITECH Act outlines two main goals: 1. Make electronic health records interoperable by establishing standards; and, 2. Develop a national network for providers to share electronic data. The HITECH Act requires covered entities under HIPAA to report data breaches, which affect 500 or more persons, to the United States Department of Health and Human Services, to the news media, and to the people affected by the data breaches. This subtitle extends the complete Privacy and Security Provisions of HIPAA to the business associates of covered entities. 7.3 Scope Foresight operates as a business associate and not as a covered entity under HIPAA and HITECH. Foresight is not a health care provider and it is not a medical clearinghouse. Foresight is not a market authorization holder and does not perform case processing. 7.4 Penalties The tiered structure for imposition of civil money penalties for data breaches under the HIPAA and HITECH Acts and the Final Rule distinguishes the level of culpability as follows: Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA/HITECH $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million File: SOPS Privacy Procedure.doc Page 8 of 13

9 Violation Minimum Penalty Maximum Penalty HIPAA/HITECH violation due to reasonable cause and not due to willful neglect HIPAA/HITECH violation due to willful neglect but violation is corrected within the required time period HIPAA/HITECH violation is due to willful neglect and is not corrected $1,000 per violation, with an annual maximum of $100,000 for repeat violations $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million 8. Privacy Shield 8.1 Introduction The EU-US Privacy Shield Framework was designed by the US Department of Commerce and European Commission (EU) to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US in support of transatlantic commerce. The Privacy Shield Framework provides a set of robust and enforceable protections for the personal data of EU individuals. The Framework provides transparency regarding how participating companies use personal data, strong US government oversight, and increased cooperation with EU data protection authorities (DPAs). The Privacy Shield Framework offers EU individuals access to multiple avenues to address any concerns regarding participants compliance with the Framework, including free dispute resolution. The Framework ensures a continuing level of protection consistent with Privacy Shield Principles when personal data collected under the Framework is transferred to third parties. The Framework also makes it easier for EU individuals to understand and exercise their rights. 8.2 Declaration of Commitment Foresight hereby provides its commitment to comply with the Privacy Shield Principles. Foresight shall take reasonable and appropriate measures to protect transferred personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. 8.3 EU Individuals Rights and Legal Remedies Individuals in the EU may bring a complaint directly to the Foresight Privacy Officer, who must respond to the individual within 45 days. Foresight must provide, at no cost to the individual, an independent recourse mechanism by which each individual s complaints and disputes can be investigated and expeditiously resolved. Foresight uses EU Data File: SOPS Privacy Procedure.doc Page 9 of 13

10 Protection Authorities (DPAs) as recourse mechanisms. As such, the US Department of Commerce has committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within 90 days. 8.4 Purpose Limitation Foresight shall limit personal information to the information relevant for the purposes of processing. 8.5 Cooperation with the US Department of Commerce Foresight must respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield Framework. If Foresight leaves the Privacy Shield Framework, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide adequate protection for the information by another authorized means. Foresight shall commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms. 8.6 Transparency Related to Enforcement Actions Foresight must make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the Federal Trade Commission (FTC) if the organization becomes subject to an FTC or court order based on non-compliance. 8.7 Annual Review On an annual basis, the Foresight Privacy Office and Foresight Quality Assurance must ensure the following: This Privacy Procedure is Accurate, comprehensive, prominently displayed, completely implemented and accessible ; This Privacy Procedure conforms to the Privacy Shield principles; Individuals are informed how to submit complaints, both internally and to the relevant EU data protection authority; Employees with access to transferred personal data have received training and will be disciplined for policy violations by Foresight Human Resources; and, The organization conducts periodic compliance reviews. 8.8 Onward Transfers In the context of an onward transfer, Foresight has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Foresight shall remain liable under the Privacy Shield principles if its agent processes such personal information in a manner inconsistent with the principles, unless the organization proves that it is not responsible for the event giving rise to the damage. File: SOPS Privacy Procedure.doc Page 10 of 13

11 9. EU Model Contract Clauses If a client requires transfer of EU privacy data from the EU to a country other than the US or Switzerland, EU Model Contract Clauses shall be the preferred framework for such transfers. The client must agree that the EU Model Contract Clause is a sufficient framework. 10. EU Regulations 2016/679 and 2016/680 Foresight is presently monitoring EU Data Protection Regulation 2016/679 and EU Data Protection Directive The Privacy Officer and Quality Assurance have the responsibility to translate the relevant aspects of these directives into practice within Foresight. 11. Safe Harbor Ruling of 2015 Foresight has held United States-European Union Safe Harbor self-certification since April 16, On October 6, 2015, the European Court of Justice examined the case of an Austrian citizen who claimed that his data, in light of revelations by Edward Snowden that United States agencies spied upon people in other nations, wasn't being adequately protected by Facebook. No appeal was allowed, as the European Court of Justice is the equivalent of the United States Supreme Court. The ruling immediately invalidated the Safe Harbor agreement, with no phaseout period. Foresight s participation in the US-Swiss Safe Harbor Framework was not affected by joining the EU-US Privacy Shield Framework and remains in effect. File: SOPS Privacy Procedure.doc Page 11 of 13

12 APPENDIX 1- Computer and Information Usage Agreement Internet access and all Foresight Group International A.G. ( Foresight Group, Company ) electronic communication systems, such as electronic mail and voice mail, are property of the company and made available to Foresight Group associates, contractors and agents of the Company only to carry out the legitimate business of Foresight Group. Their use and the use of the information sent to or from or stored in Company communication systems needs to be regulated in order to prevent accidental or incidental damage to the company. This agreement covers the usage of Foresight Group computer and information by Foresight Group employees as well as computer and information at any Foresight client s site and has to be signed before access is granted to Foresight Group computer systems. For existing Foresight Group employees, a grace period of two months is granted. Foresight Group considers maintaining the security and confidentiality of Protected Health information (PHI) a matter of its highest priority. All those granted access to this information must agree to the standards set forth in this Computer and Information Usage Agreement. All those who cannot agree to these terms will be denied access to PHI entrusted by patients to Foresight Group or its customers. Each person accessing Foresight Group or its customers data and resources holds a position of trust relative to this information and must recognize the responsibilities entrusted in preserving the security and confidentiality of this information. All Foresight Group employees and consultants must comply with the following policy: As an associate with access to all or parts of the Foresight Group network, I will: Respect the privacy and rules governing the use of any information accessible through the computer system or network and only utilize information necessary for performance of my job. Respect the ownership of proprietary software. For example, do not make unauthorized copies of such software for your own use, even when the software is not physically protected against copying. Respect the finite capability of the systems, and limit use so as not to interfere unreasonably with the activity of other users. Respect the procedures established to manage the use of the system. Prevent unauthorized use of any information in files maintained, stored, or processed by Foresight Group. Not seek personal benefit or permit others to benefit personally by any confidential information or use of equipment available through my work assignment. Not operate any non-licensed software on any computer provided by Foresight Group. Not exhibit or divulge the contents of any record or report except to fulfill a work assignment and in accordance with Foresight Group policy. Not knowingly include or cause to be included in any record or report, a false, inaccurate, or misleading entry. Not remove PHI from the office where it is kept except in the performance of my duties. Understand that the information accessed through all Foresight Group information systems File: SOPS Privacy Procedure.doc Page 12 of 13

13 contains sensitive and confidential patient/member care, business, financial and hospital employee information, which should only be disclosed to those, authorized to receive it. Not release my password, authentication code or device to anyone else, or allow anyone else to access or alter information under my identity. Not utilize anyone else's authentication code or device in order to access any Foresight Group system. Assure that the screensaver on my system is turned on with password protection and a 15 minute timeout. Respect the confidentiality of any reports printed from any information system containing patient/member information and handle, store and dispose of these reports appropriately. Not divulge any information that identifies PHI. Understand that all access to the system might be monitored. Understand that all data stored on Foresight Computer Systems are not considered private and can be audited by the company at all times. I understand that my access to data maintained by Foresight Group is a privilege and not a right afforded to me. By completing training on this procedure, I agree to protect the security of this information and maintain all PII in a manner consistent with the requirements outlined under the privacy regulations and applicable state laws. I understand that violation of this agreement can lead to disciplinary action. File: SOPS Privacy Procedure.doc Page 13 of 13