INTRODUCTION:
Protecting the privacy of our customers, their patients, and our employees is important to MEDRAD, Inc. (“MEDRAD”). In addition to complying with local data security and privacy regulations of the countries within which we operate, such as Directive 95/46/EC of the European Community governing processing within the territory of the European Union or European Economic Area and the Health Insurance Portability and Accountability Act of 1996 regulating the security and privacy of protected health information in the United States, MEDRAD adheres to the Safe Harbor Agreement concerning the transfer of personal data from the European Union (“EU”) to the United States of America (“U.S.”).
This privacy policy outlines our general policy regarding data security and privacy and the Safe Harbor Principles published by the U.S. Department of Commerce (the “Principles”), including the types of information we gather, how we use it and the notice and choice affected individuals have regarding our use of and their ability to correct that information. This privacy policy applies to all personally identifiable information received by MEDRAD whether in electronic, paper or verbal form.
DEFINITIONS:
“Personally Identifiable Information”, “Personal Information”, or “PII” means any data element that (1) is transferred from the EU to the US; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual whether through the information or the collection of the information and other, publically available, information on the individual.
PRINCIPLES:
Notice
MEDRAD shall inform a customer or employee of the purpose for which it collects and uses the PII and the types of non-agent third parties to which MEDRAD discloses or may disclose that information. MEDRAD shall provide the individual with the choice and means for limiting the use and disclosure of their PII. Notice will be provided in clear and conspicuous language when individuals are first asked to provide PII to MEDRAD, or as soon as practicable thereafter, and in any event before MEDRAD uses or discloses the PII for a purpose other than for which it was originally collected.
Choice
MEDRAD will offer customers or employees the opportunity to choose (opt out) whether their PII is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.
Onward Transfers
Safeguards for potential disclosure via Certegra remote or on-site support
While appropriate policies, procedures, and other controls have been implemented by MEDRAD to prevent the disclosure of patient PII from a customer’s Certegra system to a MEDRAD support technician, the presence of this connection, whether remote or on-site, poses the risk of information disclosure. For this reason, MEDRAD has taken the necessary measures to adhere to the Safe Harbor principles to help ensure the privacy of any disclosed PII will be upheld.
Onward transfer of customer or employee PII
Prior to disclosing PII to a third party, MEDRAD shall notify the individual of such disclosure and allow the individual the choice (opt out) of such disclosure. MEDRAD shall ensure that any third party for which PII may be disclosed subscribes to the Principles or are subject to law providing the same level of privacy protection as is required by the Principles and agree in writing to provide an adequate level of privacy protection.
Data Security
MEDRAD has established a comprehensive data security and privacy program to protect PII from loss, misuse and unauthorized access, disclosure, alteration and destruction. This program includes appropriate administrative, physical, and technical safeguards to secure PII received, prevent misuse, and mitigate any potential harm to individuals in the event of a breach.
Data Integrity
MEDRAD shall only process PII in a way that is compatible with and relevant for the purpose for which it was collected and authorized by the individual. To the extent necessary for those purposes, MEDRAD shall take reasonable steps to ensure that PII is accurate, complete, current and reliable for its intended use.
Access
Access to customer or employee PII
In the event MEDRAD is storing PII of an individual, MEDRAD shall allow individual access to their PII and allow the individual to correct, amend, or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.
Access to PII recorded within Certegra by customer or individual authorized by customer
In the event that the information in question was collected within Certegra by a customer employee or other individual authorized by the customer, the request for access, correction, amendment, or deletion of inaccurate information must be made and approved by the customer who may then authorize MEDRAD to perform the requested action, given the above conditions regarding the expense of providing such action.
Enforcement
MEDRAD uses a self-assessment approach to assure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Principles. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to resolve any complaints and disputes regarding the use and disclosure of Personally Identifiable Information in accordance with the Principles.
If a complaint or dispute cannot be resolved through our internal process, we agree to dispute resolution using the European Data Protection Authorities as a third party resolution provider.
AMENDMENTS:
This privacy policy may be amended from time to time consistent with the requirements of the Safe Harbor. We will post any revised policy on this website: www.medrad.com/en-us/aboutmedrad/Pages/privacy-policy.aspx
INFORMATION SUBJECT TO OTHER POLICIES:
MEDRAD is committed to following the Principles for all PII within the scope of the Safe Harbor Agreement. However, certain information is subject to the policies of MEDRAD, or its parent corporation, that may differ in some respects from the general policies set forth in this privacy policy.
CONTACT INFORMATION:
Questions, comments or complaints regarding the MEDRAD Safe Harbor Policy or data collection and processing practices can be mailed or emailed to:
MEDRAD, INC.
Attn: Security and Privacy Officer
100 Global View Drive
Warrendale, PA 15086
USA
jdipasquale@medrad.com
Effective Date: September 22, 2011