EU Notice of Privacy Practices - Effective August 27, 2021

Summary

At UPMC, we are committed to protecting the privacy of your Personal Data, as European Union (“EU”) regulations require. When we say “Personal Data,” we mean any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, using identifiers that can include a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Attached is UPMC’s “Notice of EU Privacy Practices” (“EU Notice”). The EU Notice explains how we meet this commitment. The EU Notice also explains the Personal Data we collect and process and your rights under the European Union and its member states.

In this EU Notice, the words “we,” “us,” and “our” mean UPMC and all the people and places that follow this EU Notice. All people and places that make up UPMC who collect Personal Data from individuals who are in the EU at the time the Personal Data is collected must follow the EU Notice.

Personal Data We Collect

For our Patients – UPMC may collect your Personal Data to deliver healthcare services related to health promotion, disease prevention, diagnosis, treatment, and rehabilitation at your request. We may also collect your Personal Data for administrative and accounting activities closely related to the healthcare services you intend to receive. Types of Personal Data we may collect include:

• Personal identification information (Name, birthdate, address, phone number, gender, next of kin, etc.)
• Health information (Medical history, diagnosis, test and procedure results, clinical notes, etc.)
• Financial information (Health insurance and payment details)

For our Workforce – UPMC may collect your Personal Data for employment and staff-related purposes. Types of Personal Data we may collect include:

• Personal identification information (Name, birthdate, address, phone number, gender, next of kin, employee number, ID number, etc.)
• Job-related information (resume/application, job title, salary, length of employment, training, time and attendance data, etc.)

We will not collect Personal Data about you if the collection of such Personal Data is in violation of your fundamental rights as an individual and/or a minor.

How We Use Your Data

UPMC may process your Personal Data for the business, treatment, payment, or health care operations purposes that this EU Notice describes.

For our Patients - UPMC may create and maintain records with Personal Data about your care. We may collect, process, and store your Personal Data for purposes such as:

• Providing healthcare services to you.
• Designing, implementing, and/or maintaining patient care and patient-related information systems.
• Maintaining medical records (including transcriptions, laboratory results, diagnostic images, and other types of clinical information).
• Performing government reporting.
• Conducting auditing, accounting, financial, quality assurance and economic and clinical analyses.

For our Workforce - UPMC normally creates and maintains records with Personal Data about your employment or staff-related services. We may collect, process, and store your Personal Data, and/or transfer this Personal Data to the U.S. for purposes such as:

• Management and administration of employment-related matters.
• Designing and administering compensation, benefits, and human resource programs.
• Designing and implementing employment-related education and training programs.
• Monitoring and evaluating employee conduct and performance.
• Maintaining plant and employee security, health, and safety.
• Facilitating communications, negotiations, transactions, and conferences.
• Compliance with contractual and legal obligations.

UPMC shall not use your Personal Data in a way that is incompatible with the purposes for which it has been collected unless authorized by you. UPMC will also take reasonable steps to ensure that Personal Data collected is relevant for its intended use, and is accurate, complete, and current.

Recipients of Your Personal Data

Our workforce includes our staff, physicians, students, residents, trainees, volunteers, and others providing services within or for these facilities, who may or may not be directly employed by UPMC and may have access to your Personal Data.

UPMC may transfer Personal Data to a third party acting as its agent (e.g., health care operations, medical consultants, tax advisors and preparers, accountants, auditors, lawyers, financial services, and benefit administrators) without the necessity to provide additional notice to you, as long as UPMC has entered into an appropriate agreement under which such third party is obligated to adhere to requirements at least as restrictive as those set forth in this EU Notice. Personal Data that is transferred shall comply with the EU GDPR and any other applicable EU individual provider-based data protection agreements. With respect to sensitive Personal Data (for example, political or religious beliefs, union membership, health matters etc.), UPMC will not share such information except as otherwise described in this EU Notice unless specifically authorized by you. UPMC may disclose sensitive Personal Data if required to comply with the legal process.

International Data Transfers

UPMC may create or maintain records containing Personal Data in conjunction with its patient care and employment-related activities at UPMC’s EU-based operations. UPMC may also receive and/or manage Personal Data for organizations within EU member countries that UPMC does business with. UPMC may transfer your Personal Data to the United States for processing. With respect to the handling and protection of your Personal Data, UPMC adheres to the EU GDPR. All UPMC operations that have access to Personal Data from an EU member country shall follow this EU Notice and other Privacy rules required under US law (as applicable), or under EU data protection agreements.

Data Retention Period

All Personal Data processed and stored by UPMC will be maintained for no less than the minimum number of years as required by applicable laws and only for a period deemed strictly necessary to fulfill the purposes for which it serves.

Your Rights Concerning Your Data Protection

The law gives you the following rights about your Personal Data:

• The right to access. You have the right to request UPMC for copies of your Personal Data.
• The right to rectification. You have the right to request that UPMC correct any information you believe is inaccurate. You also have the right to request that UPMC complete any information you believe is incomplete.
• The right to erasure. You have the right to request that UPMC delete your Personal Data, under certain conditions.
• The right to restrict processing. You have the right to request that UPMC restrict the processing of your Personal Data, under certain conditions.
• The right to data portability. You have the right to request that UPMC transfer the data that we have collected to another organization, or directly to you, under certain conditions.
• The right to object to processing. You have the right to object to UPMC processing your Personal Data, under certain conditions.
• The right to withdraw consent. You have the right to withdraw your consent for the processing of your Personal Data, where consent is the basis on which UPMC processes such data.
• The right to object to automated processing. You have the right not to be subject to a decision based solely on automated processing.

Upon request, UPMC will provide you with reasonable access to Personal Data that it holds about you and will take reasonable steps to permit you to correct or amend any Personal Data which is inaccurate or incomplete. If you want access to your Personal Data, you should provide a written request to the Data Controller and/or Data Protection Officer of the facility where you provided your Personal Data.

Cookies

UPMC’s Cookie Policy is available on our Website using the following link.

Data Security

UPMC understands that your Personal Data, particularly health and employment information, is sensitive and confidential. Therefore, we take reasonable security measures to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. These measures include, but are not limited to, password protection for online information systems and restricted access to your Personal Data.

Violation of Data Protection Rights

If you believe your data protection rights have been violated by us, you may file a confidential complaint with us. You can do this by contacting UPMC’s Office of Consumer and Patient Privacy, 600 Grant Street, 58th Floor, Pittsburgh, PA 15219; telephone: 412-647-6286, Fax: 412-623-6476; or email at: privacyaskus@upmc.edu.

You also have the right to make a complaint with a competent supervisory authority if you believe that the processing of your Personal Data carried out by UPMC is unlawful. UPMC will participate in the dispute resolution process established by the EU Data Protection Authorities.

You will not be penalized for making a complaint.

If You Have Questions About This EU Notice

Questions or concerns regarding the use or disclosure of Personal Data should be directed to the Data Controller and/or Data Protection Officer of the facility where you provided your Personal Data, or to the UPMC’s Office of Consumer and Patient Privacy US Steel Tower, 600 Grant Street, 58th Floor, Pittsburgh, PA 15219; telephone: 412-647-6286, Fax: 412-623-6476; or email at: privacyaskus@upmc.edu.