HOW HELIX HEALTHCARE COLLECTS AND PROTECTS YOUR PERSONAL INFORMATION
This data protection notice explains how we handle personal or sensitive data given to us, including any information we collect about you from other healthcare professionals or other organizations. Please read this notice carefully.
This notice explains:
• Information about Helix Healthcare, including our contact information.
• The types of information we retain.
• The legal basis for collecting and processing your personal information, including when we share it with others.
• How long we retain your personal information.
• What you should do if any of your information changes
• Your rights under the Cayman Islands Data Protection Law 2017
The Cayman Islands Data Protection Law 2017 became law on 30 September 2019. Helix Healthcare, Ltd. (the Clinic) complies with this law by handling, protecting, and safeguarding your personal and sensitive in a responsible manner. This privacy notice is current from 1 January, 2020 and is reviewed annually. Changes to our policies and procedures in relation to how we handle your personal information will be posted on our website at will be available and in a printed format from reception at Helix Healthcare.
1. Clinic Information
Company Name: Helix Healthcare, Ltd.
Medical Facility Registration #: HPC/HCF/156
Physical Address: 4 Middle Road, George Town, Grand Cayman
Mailing Address: P.O. Box 2177, Grand Cayman KY1-1105, Cayman Islands
Helix Healthcare, Ltd. is a Data Controller of your information, which means we are responsible for collecting, storing, and handling your personal and healthcare information when you register as a patient. There may be times when we also process your information, which means we use it for a particular purpose and on those occasions we are Data Processors. The purposes for which we use your information are set out in this notice.
Data Controller: Mr. Raymond Anthony, Managing Director.
Practice Manager: Mr. Geoffrey Albury.
2. Types of Information Collected
The types of information we collect includes personal data and sensitive personal data.
Personal data is any information relating to a living individual who can be directly or indirectly identified. Sensitive personal data is personal data consisting of:
a. the racial or ethnic origin of the data subject;
b. genetic data of the data subject;
c. the data subject’s physical or mental health or condition;
d. medical data;
e. the data subject’s sex life;
f. the data subject’s commission, or alleged commission of an offence; or
any proceedings for any offence committed, or alleged, to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Islands or elsewhere.
We collect information that is necessary and relevant to provide you with medical care and to appropriately manage our medical practice. The information we will collect about you will include:
Personal: Including name, age, date of birth, gender, mailing address, residential address, contact telephone numbers and email address.
Next of Kin: Including name, telephone number and relationship to you.
Employment: Including employer’s name, address, telephone number
Health Insurance: Including the name of the insurance company, the policy owner, the policy number and your insurance identification number. The contact name and number of the person responsible for the bill if it is unpaid will also be collected.
Appointments: Details of appointments and encounters with the Clinic including notes about visits and details of your treatment and care and proposed plan including referrals and prescriptions and tests ordered.
Health: Personal and family medical history
Financial: Debit and Credit Card Information
Outgoing Information: Including referrals, and prescriptions and correspondence e.g., with health insurance providers
Incoming Information: Including information received from other healthcare professionals and medical facilities, caregivers, and relatives. Also, information received from health insurance providers, government agencies, and other organizations
Test results: Including radiology, pathology, and laboratory reports
3. The Legal Basis for Collecting and Processing Your Information and When we Share it with Others
Our data collected will be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are collected and/or processed. We need your personal, sensitive, and confidential data in order to provide you with healthcare services. You will be asked to give consent to collect and process your personal and sensitive personal data. The lawful purposes for collecting and processing your information include:
Legal obligation: The processing is necessary for the Clinic to comply with a law.
Vital interests: The processing is necessary to protect an individual’s life;
Public functions: The processing is necessary for the Clinic to perform a public function, or a function of a public nature exercised in the public interest;
Legitimate interests: The processing is necessary for legitimate interests pursued by the data controller or a third party.
Legal proceedings: The processing of sensitive personal data is necessary for legal proceedings, legal advice, or legal rights;
Medical: The processing of sensitive personal data by a health professional or someone who owes an equivalent duty of confidentiality is necessary for medical purposes. “Medical purposes” includes the purposes of preventative medicine, medical diagnosis, the provision of care and treatment, and the management of healthcare services.
Your information will not be further processed in any manner incompatible with the stated purposes.
4. How We Collect Your Information
We collect information in various ways, such as over the phone, in writing, in person in our Clinic, or over the internet if you transact with via our telemedicine service. This information may be collected by medical and non-medical staff. Wherever practicable we will only collect information from you personally. However, we may also need to collect information from other sources such as treating specialists, radiologists, pathologists, other health care providers or medical facilities. In emergency situations, we may need to collect information from your relatives or friends.
Telemedicine is conducted via Skype (Microsoft, Inc.) or WhatsApp (Facebook, Inc.), which are used by patients subject to the terms, conditions, and privacy policies published by these companies. Skype employs AES 256-bit encryption and WhatsApp calls are protected by end-to-end encryption using the Signal Protocol Library, which means that telemedicine conversations at Helix Healthcare cannot be seen by a third party and are not visible by or stored by either company. The use of Skype or WhatsApp for our telemedicine service implies your acceptance of the terms and conditions issued by the holding companies. Furthermore, Helix Healthcare will not record any conversation without your express permission at the time of the consultation. Notes taken by the doctor during your telemedicine consultation are placed straight into your electronic medical records in real time and securely stored and used as described in this privacy notice.
5. How We Use and Disclose Your Information
We collect and hold data about you for the purpose of providing safe and effective healthcare. We will treat your personal information as strictly private and confidential. We will only use or disclose it for purposes directly related to your care and treatment, or in ways that you would reasonably expect us to use it for your treatment, e.g., the disclosure of blood test or x-ray results to your specialist. To ensure we provide you with the best possible care, we may need to share information with other healthcare providers outside of Helix Healthcare when we order laboratory, diagnostic, or preventative tests, and when we make a referral. Information may be provided to:
• Laboratories and imaging centers.
• Other medical facilities including doctors, nurses. and support staff who may be authorized to receive the information.
• Other persons involved with your care such as relatives, friends, and caregivers if consent has been given to release information to them.
• Insurance providers, e.g., when we submit a claim on your behalf for services rendered or request precertification of services.
You can withdraw consent to provide information to any one of the entities above, but this may result in a delay of care or subject you to payment in advance for the services you receive at the Helix Healthcare, or from its providers. We may also be required to share your information with third parties. This includes the Police, the Courts, insurers, attorneys, or government regulatory bodies. Whenever possible we will pass this information on in an anonymous format.
We may disclose information about you to outside contractors to carry out activities on our behalf such as an IT service provider, solicitor or debt collection agent. We impose security and confidentiality requirements on how they handle your personal information. Outside contractors are required not to use information about you for any purpose except for those activities we have asked them to perform.
6. Accuracy of Information
We make every effort and take all reasonable steps to ensure that the data we process is accurate and up to date. However, it is your responsibility to advise Helix Healthcare of any change in your information-- particularly your name, mailing address, telephone number, email address, insurance provider, and next of kin.
You have the right to request that Helix Healthcare rectifies, blocks, erases, or destroys inaccurate data without delay. You can make a request for rectification verbally or in writing. The request does not have to be to a specific person.
7. Accessing Your Data
You have the right to view or have a copy of the data we hold, with some exceptions. You do not need to give a reason for your request. If you want to see your medical records you may apply to do so in writing. You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation, but we will require your clear consent to be able to do this.
There may be a fee associated with this if the time involved in responding to the request is excessive. If you wish to have a copy of the information we hold about you, please contact reception. Please note we have 30 days to respond to your request.
You have the right to ask for your information to be removed, however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.
Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.
8. Data Storage
Your data may be stored in a combination of paper and electronic formats including medical records recorded in writing and on paper and in an electronic medical record system.
9. Data Retention
Data will be deleted when it is no longer needed in any given format, e.g., if copies of an x-ray report is received by fax, the fax will be shredded once the document has been imported into your electronic medical record. The Clinic will maintain your medical records for a period of ten (10) years after your last encounter at the Clinic.
10. Transfer of Information
As part of Helix Healthcare’s Disaster and Recovery Plan, our electronic records are backed-up daily to hard drives in the office and off-site to a secure cloud service.
With your consent medical records may be transferred to non-EU countries, e.g., if medical records are required by a medical facility in the United States for continuity of care. Data may also be transferred in other circumstances as laid out in the Data Protection Act.
11. Safety and Confidentiality of Information
Helix Healthcare will take appropriate technical and organizational measures against unauthorized or unlawful processing of your personal data, and against accidental loss or destruction of, or damage to your personal data.
Personal information that we hold is protected by:
• Securing our premises;
• Placing passwords and varying access levels on databases to limit access and protect electronic information from unauthorised interference, access, modification and disclosure; and
• Providing locked cabinets and rooms for the storage of physical records.
• Backing up electronic records to professional cloud service daily.
Everyone working for Helix Healthcare is subject a confidentiality agreement. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law. Clinic staff are required to protect your information and keep it confidential.
We also ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.
We regularly review and update our processes and systems and we also ensure that our staff is properly trained.
12. Your Rights Under The Data Protection Law
• The law grants you the following rights:
• The right to be informed
• The right of access
• The right to rectification;
• The right to stop/restrict processing
• The right to stop direct marketing
• The right in relation to automated decision making and
• The right to complain and seek compensation.
If you have a concern about the way we handle your personal data or you have a complaint about our processes and procedure, or how we have used or handled your personal and/or healthcare information, then please contact our Data Controller in writing. Upon receipt of a complaint we will consider the details and attempt to resolve it in accordance with our complaints handling procedures.
You also have the right to complain to the Ombudsman about any perceived violation of the Data Protection Law, and to seek compensation for damages in the courts.
If you are unclear about how we process or use your information or have questions relating to the protection of your data, please contact our Practice Manager Christine Mathews.