- 1. INTRODUCTION
- 2. OBJECTIVE
- 3. DEFINITIONS
- 4. PERSONAL DATA PROCESSING
- 4.1 Personnel in charge of Personal Data Processing
- 4.2 Products
- 4.3 Data Collection, Storage, Use and Destruction
- 4.3.1 Data Collection and Reception
- 4.3.2 Data Storage
- 4.3.3 Use of Data
- 4.3.4 Data Access
- 4.3.5 Production of Reports
- 4.3.6 Data Destruction
- 4.3.7 Data Processing Flowchart
- 5. DATA PROTECTION AND INFORMATION SECURITY TOOLS
- 6. CONTINGENCY PLAN
- 7. RESPONSIBLE PERSON OF DATA PROTECTION
- 8. CONTACT
1 - INTRODUCTION
Epimed Solutions (“Epimed”) specializes in solutions for the management of clinical and epidemiological information, which improve the efficiency of hospital care and patient safety.
Epimed has developed softwares capable of managing clinical information in real time, evaluating the performance and efficiency of hospitals’ ICU, assessing the risk of long-term stay of each patient in the ICU, managing clinical data and quality indicators, monitoring incidents and adverse events in hospitals, among other services (“Epimed System”).
The Epimed System operates by receiving data provided by hospitals, clinics, social health organizations and other health institutions (“Health Institution”), some of which are Personal Data and/or Sensitive Personal Data (“Data”), depending on the software and services hired by hospitals.
Epimed, as the Data Processor, will carry out the Processing of this Data according to the instructions provided by Health Institutions (“Controllers”).
2 - OBJECTIVE
The Policy is used to establish the way in which the Personal Data of Patients of Health Institutions are collected, processed, stored, erased and destroyed by Epimed. Thus, ensuring that the mechanisms that guarantee the use of Personal Data compatible with the designated purposes are put in place by Health Institutions and in accordance with GDPR, in addition to the use of technical and administrative measures suitable for the protection of Personal Data.
3 - DEFINITIONS
“Controller” – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“Personal Data” – means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Special Categories of Personal Data” or “Sensitive Personal Data” – Sensitive personal data means any processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
“Data Concerning Health” – means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
“Health Institutions” – hospitals, clinics, social health organizations and other health institutions, contractors of Sistema Epimed (the Epimed System), who will act as Controller.
“General Data Protection Regulation” or “GDPR” ” – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Processor” – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“Patients” – They are the patients of the Health Institutions, whose data are used in the Epimed System.
“Epimed System” – The definition is in item 1 of this Policy.
“Processing” – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“ICU” – Intensive Care Unit (in Portuguese, the acronym used is UTI).
4 - PERSONAL DATA PROCESSING
4.1 Personnel in charge of Personal Data Processing
The Processing of Personal or Sensitive Personal Data, as a rule, can only be carried out with the consent of the Patient. The Health Institutions, Controller agent under the terms of the GDPR, are the only and exclusive responsible personnel for obtaining the consent of the Patients, which must be free, informed and unequivocal, whereby Patients agree with the use of their Data for a determined purpose, in the exact terms of the GDPR.
Thus, for each service offered by Epimed, hired by Health Institutions, according to clause 4.2 below, a specific consent must be obtained from the Patient that authorizes Data Processing, objective of each service that makes up the Epimed System.
Therefore, Epimed, as an Processor under the terms of the GDPR, must carry out the Data Processing on behalf of the Health Institutions and according to the instructions provided by them, provided that they are lawful and in compliance with the GDPR, by entering into a signed contract between Epimed and the Health Institution.
Epimed has a trained and specialized team that will perform the appropriate and necessary Data Processing to meet the purpose of the Epimed System hired by each Health Institution.
The Epimed System includes a series of services that depend on the sending, by Health Institutions, of Patient Data.
The data collected, the processing and the purpose of each service, objective of the Epimed System, are described in the table below:
|Service||Patient Data||Purpose||Data Processing|
|Adult ICU/Pediatric and Neonatal ICU||Deidentified data (hospital record, age (birthdate is rounded to the first day of the respective month), weight, height and bed number), clinical data including diagnoses and comorbidities, use of invasive support/ventilation in the ICU and outcomes in the ICU and in the hospital. In the case of neonatal patients, deintenfied data of those responsible for the babies are also collected to identify the newborns.||Software used to manage clinical information and epidemiological profile in real time of the ICU of hospitals; access to the main specialized scores for stratifying patients’ severity; assessment of ICU performance and efficiency through risk-adjusted measures (efficiency matrix, standardized mortality and resource utilization rates); bedside monitoring of measures of adherence to best care practices and prevention of adverse events and healthcare-related infections with the use of checklists and bundles; assessment of the intensity of the patient’s need for nursing care to optimize the allocation of human resources in the ICU; and ICU clinical indicators for the hospital accreditation process.||Collection, reception, storage, access, processing, use, evaluation, monitoring, report production, and destruction of Data.|
|Performance||Use of Data already collected by the ICU System.||Assessment of the risk of long-term stay of each patient in the ICU, calculating, on the first day, the individual estimates of length of stay and probability of long-term stay in the ICU using exclusive predictive analysis algorithms, developed by Epimed.||Evaluation and reporting based on data collected by the ICU system and destruction of information.|
|CCCIH (Hospital Infection Control Commission)||Deidentified data (hospital record, age (birthdate is rounded to the first day of the respective month), weight, height and bed number), clinical data, including diagnoses and comorbidities, use of support/ventilation and invasive devices in the ICU; data related to infections and microbiology; use of antimicrobial agents and outcomes in the ICU and hospital.||Allows real-time management of nosocomial (hospital acquired) infection control indicators in health institutions.||Collection, reception, storage, access, processing and use of data, evaluation, monitoring, production, and destruction of reports.|
|Patient Safety||Deidentified data (hospital record, age (birthdate is rounded to the first day of the respective month), weight, height and bed number), clinical data, including diagnoses and comorbidities, use of ICU invasive support/ventilation, notification of adverse incidents and their respective processing, and outcomes in the ICU and at the hospital.||It allows real-time management of incidents/adverse events in health institutions.||Collection, reception, storage, access, processing, use, evaluation, monitoring, report production,
and destruction of Data.
|Nursing Activities Score
|Nursing care time in the Intensive Care Unit (ICU); number of nursing professionals per shift.||It estimates the nursing workload according to the characteristics of hospitalized patients and the use of resources in ICUs.||Collection, storage, reporting based on collected data and its destruction.|
4.3 Data Collection, Storage, Use and Destruction
4.3.1 Data Collection and Reception
Epimed only collects the deidentified Patient Data strictly necessary in the scope of the services offered by the Epimed System mentioned in item 4.2 above.
Health Institutions are responsible for sending Data to the Epimed System. The inclusion of Patient information in the Epimed System platforms can be performed, directly and manually, by the authorized personnel to access the Epimed System indicated by the Health Institutions (“Users“).
Users can choose to utilize an integration procedure offered by Epimed, through which the Patient Data is collected, by filling out a form, and, subsequently, Epimed performs its inclusion in the Epimed System.
4..3.2 Data Storage
After being collected and received by Epimed, the Data is stored on an online server always available in a cloud environment (“Database”) protected against invasions, leaks and deletions of Data.
Each Health Institution has direct access only to its own Data, with only Users duly registered at the Health Institution authorized to access them.
The Database is protected by adopting the controls and procedures adopted in item 5 of this manual and in the policies mentioned therein.
4.3.3 Use of Data
The data is used by Epimed according to the type of service hired by the Health Institution and to meet the purposes described in item 4.2 above.
4.3.4 Data Access
Only Users authorized by Health Institutions can have access to the Epimed System Data and Database.
In addition to the processing of Patient Data from Health Institutions, Epimed also needs to collect, store, use and destruct of Personal Data of the Epimed System Users to ensure that only authorized personnel have access to its platforms.
When starting its contractual relationship with Epimed, the Health Institution must share the information of a representative appointed as responsible for the approval and registration of the other employees of the Health Institution who may have access to the Epimed System at that institution. (“User in Charge”).
Once the User in Charge of the Epimed System is registered, the Health Institution becomes solely responsible for allowing new users to the Epimed System. The User in Charge is responsible for delegating access to Epimed’s services, as well as the scope of permission that new users will have in the Epimed System.
In order to register new Users, the User in Charge must make the name and e-mail data of this User available on the Epimed System.
Health Institutions must inform Epimed of the disconnection of any User of the Epimed System so that the credentials of these users can be disabled.
All mechanisms and precautions for the protection of collected Patient Data also apply to the Personal and/or Sensitive Personal Data of Epimed System Users held by Epimed.
220.127.116.11 Epimed Professionals with Data Access
In addition to the personal data and Database protection measures described in item 5 of this policy, Epimed grants restricted and limited access to certain Epimed employees to ensure the proper functioning, maintenance, correction and protection of the Epimed System.
For this purpose, Epimed physically sets apart employees who have access to the Database, in addition to ensuring that the Database will be only accessed through proper identification and password.
Employees with access to the Database fully adhere to Epimed’s confidentiality policy by signing the Epimed Code of Ethics and Conduct.
4.3.5 Production of Reports
The Health Institution may generate reports related to the type of contracted service listed in item 4.2 above.
The reports can depict the profiles of patients with infection cases, display interactive dashboards with detailed information about the infection cases, detail the profile of use and appropriateness of prophylactic antibiotics, detail the incidence of multiresistant pathogens and qualified benchmarking.
The reports generated by Epimed, as a rule, do not reproduce Personal and/or Sensitive Personal Data, constituting only statistics in relation to the events that occurred within the Health Institutions, disregarding the personal identification of Patients.
Only the reports that portray the profile of the patients may use deidentified Patient Data, considering that the personal data reported in item 4.2 of who receives the treatment carried out by the Health Institution is indispensable in this case.
All reports generated by the Epimed System are able to identify the User who produced it, ensuring greater control over Data circulation.
4.3.6 Data Destruction
The data stored in the Epimed Database will be destructed in the event of a specific order from the Health Institutions, or in the event of the termination of Epimed’s contractual relationship with the Health Institution, which will receive a copy corresponding to its Database.
Epimed will perform the destruction within a period of up to 04 (four) months after the due request for destruction of the Data by the Health Institution, or the termination of the contract, unless there is an explicit request by the Health Institution or Controller for maintenance of Data in the Epimed System Database.
The destruction is carried out in a safe manner, under the terms required by the GDPR, by means of a logical exclusion procedure in the Epimed Database. Once the erasure is performed, it will not be possible to restore the data after 30 (thirty) days.
4.3.7 Data Processing Flowchart
4.3.8 Data Protection
Epimed makes every effort to protect the confidentiality of the Data, adopting the best information security practices for the traffic and storage of data and information, including, but not limited to:
- The adoption of good security practices, described in Epimed’s Information Security Policy and in ISO/IEC 27001 standards;
- Safe data storage, through the adoption of encryption throughout its entire Database;
- Risk management, including the mapping of information and Data exchange interfaces between Epimed users, and other measures provided for in Epimed’s Information Security Risk Management Policy;
- Failure to carry out external data transfer, both nationally and internationally;
- Monitoring and cybersecurity security alerts;
- The segregation of access profiles, so that access to information and data will be restricted to certain access profiles defined by Infrastructure Management, as described in Epimed’s Information Security Policy.
Epimed periodically undergoes a rigorous external information security audit based on ISO/IEC 27001 standards. The Data Protection performed by Epimed, in addition to the measures mentioned above, it also includes the Data security measures and procedures detailed in the Information Security Policy, Secure Software Development Policy and Epimed’s Risk Management Policy, which are documents.
In addition, all Employees are committed to protecting the confidentiality of any private information from Epimed, and must strictly observe the provisions of the GDPR and Epimed’s policies, committing themselves, in particular, to receiving and safeguarding all the Data that they may have access to, as detailed in the Epimed Code of Ethics and Conduct.
5 - DATA PROTECTION AND INFORMATION SECURITY TOOLS
Epimed adopts technical and administrative security measures in order to protect Personal Data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or illicit Data Processing.
Epimed performs a risk analysis to which it is subject to in terms of confidentiality, integrity and availability of the information it receives.
This risk analysis aims to enable the identification, evaluation, processing, monitoring and communication of operational, technological and imaging risks, in addition to fostering safer software development and application of measures that remove vulnerability and threats to the breach of network security and the Epimed System.
Epimed maintains an information security risk management system which has a trained and specialized IT technical team that:
- Performs the qualitative and quantitative analysis of Epimed’s information security risks, creating risk indicators that are constantly monitored;
- Supervises the implementation and maintenance of action plans and achievement of established goals for protection of the information security system;
- Communicates any failure and/or suggestion to the Risk Management Committee responsible for the periodic review of Epimed’s risk management, definition of the risks to be prioritized for processing, considering the high and low level of exposure, report to the Board the results of the process of risk management and approval of action plans to mitigate information security risks.
For further clarification on Epimed’s information security risk management, check Epimed’s Information Security Risk Management Policy.
From the information security risk analysis, Epimed develops, implements and updates its software in order to guarantee its efficiency, security and compliance with the applicable legislation, including the GDPR, observing the application of the following measures:
- Creation of strong passwords and strict care in the distribution of permissions to access information in Epimed’s Databases, in addition to the implementation of logical and/or physical access to prevent any unauthorized access;
- Structuring of secure communication channels through which the safeguarded transmission of Data through the Epimed System is guaranteed;
- Use of tools that reinforce the resilience of the Epimed System to attacks and unwanted invasions that represent any risk to the collected information;
- Maintenance of tracking records and consultation of incidents related to the security of the Epimed System, in order to make them available for risk assessment auditing;
- Conducting security tests that confirm that Epimed’s software is safe and effective in maintaining the confidentiality of the collected information;
- Implementation of encryption of the software and Databases operated by Epimed, including individualized encryption of the identification data of Patients, Health Institutions and Users of the Epimed System, in order to reinforce security and the difficulty of access by unauthorized personnel to information collected by the Epimed System.
The Epimed System will also undergo an annual external audit to evaluate its entire information security and Data Protection system.
For further clarification on the secure software development by Epimed, check the Secure Software Development Policy.
In addition to the steps already described, Epimed also reinforces its commitment to the data protection, through measures that are applied to all employees, Users or any custodians of information from Epimed, Health Institutions and/or Patients (“Team Members”):
- Guidance of Team Members in relation to care and diligence in Data Processing;
- Conducting training for its employees, in order to ensure the development of a multidisciplinary team dedicated to guiding and implementing the appropriate security policies and Data Protection mechanisms to mitigate any risk of data leakage or misuse in all areas;
- Application of security tests;
- Restriction of the information that can be accessed by Epimed’s Team Members to what is strictly necessary to provide the services of the Epimed System;
- Restriction of access to information to Epimed’s facilities, with the possibility of remote access to Epimed’s Data, as long as this execption is approved by at least 2 (two) directors of Epimed;
- Periodic verification of all Team Members who have access to information from Epimed, Health Institutions and/or Patients, in order to maintain detailed control of who can access the Epimed System, ensuring that the information is viewed only by duly authorized personnel;
- Use of antivirus and other forms of protection of the machines of all Epimed’s Team Members to ensure that there is no invasion and disruption of the Data handled by Epimed.
To ensure that Team Members comply with the guidelines and measures adopted for Data Protection, Epimed adopts a Code of Ethics and Conduct, as well as a Confidentiality Term that must be signed by all employees, Users or anyone who has access to Patient Data.
For further clarification on the measures applied to Epimed’s team members, check the Information Security Policy and the Epimed Code of Ethics and Conduct.
6 - CONTINGENCY PLAN
Epimed establishes a series of procedures for reporting incidents on information security and leakage of data stored within a reasonable time frame, as well as for immediate containment of the possible damage that a leak may represent to Patients and the Health Institutions involved.
In the occurrence of any event of data leakage and/or use outside the purpose for which it was contracted, Epimed undertakes to adopt the following measures:
- Collect evidence of what happened correctly in accordance with normative and regulatory requirements;
- Immediately notify the Health Institution and any other interested party in the event of a real or suspected breach of security, unauthorized access, loss, damage or any other type of corruption of security, confidentiality or integrity of the personal data processed by Epimed;
- Perform formal validation of information security or Data Protection incidents so that control procedures and measures can be improved and lessons learned from any incidents so that they are communicated to management for validation and approval of new actions.
- Act with all efforts and in the shortest time possible to prevent any future breach of security to the Epimed System;
- Assist in any notification that the Health Institution must make due to data leakage;
- Provide the Health Institution with complete and prompt cooperation and assistance in relation to any complaint, communication or request received from any Data Subject.
Epimed also provides in its the sample form for reporting data leaks that must be filled in with detailed information in relation to Epimed’s breach of security and forwarded to the Health Institution and any other interested party.
7 - RESPONSIBLE PERSON OF DATA PROTECTION
In view of the importance of Personal Data Protection, Epimed has appointed a responsible person of the implementation and monitoring of this Policy and the other provisions related to the GDPR (“Responsible Person of Data Protection”).
To ensure compliance with this Policy and the GDPR, the Person in Charge of Data Protection will implement the following measures:
- It will be conducted, annually, a training program for its Team Members in all Epimed’s business units, on this Policy and the GDPR, which may be in person, by videoconference or other non-in person means, for example, via Web;
- An annual questionnaire about the Policy and the GDPR will be applied. It is to be answered by all of its employees, partners and administrators;
- An annual external audit will be conducted to assess the risks exposed and the measures that can be taken to mitigate these risks or solve them. This audit will be carried out throughout the Epimed System – including documentation, hosting, security policies, internal access and servers. After the audit, a certification will be made of the electronic records of health data; and
- Coordinate the updating of this Policy.
8 - COMMUNICATION OF DATA TO OTHER ENTITIES
Epimed does not use other entities to provide the service contracted by the Health Institutions, except for external audit companies that will be contracted annually to verify and validate Epimed’s information security system.
Epimed may also transmit Personal Data of Patients to third parties, when it deems such data communications as necessary or appropriate (i) in light of the applicable law, (ii) in compliance with legal obligations/court orders, (iii) to respond to requests from public or government authorities or (iv) for the purpose of certification, evaluation and measurement of service levels of the Epimed System.
In any of the situations mentioned above, Epimed is commited to take all reasonable measures to ensure the effective Personal Data Protection of Patients.
9 - CONTACT
To report matters deemed convenient within the scope of this policy, the Health Institutions and/or Patients can send any request regarding them, in writing, to the following e-mail address: email@example.com
This Policy is subject to changes to better adapt it to the GDPR and to the norms of the Independent Supervisory Authority.
Epimed can change this policy at any time, when deemed necessary. If there are substantial changes, you will be informed to review the changes before they take effect. If you do not agree with any of the changes, you can request to close your user account. In this case, Epimed will forward your request to the person responsible for the Epimed System at your Health Institution.
For any doubt or question about the collection and processing of personal data made by Epimed, please contact us.