HOW BEHAVIORAL HEALTH ASSOCIATES CAYMAN LTD. (BHAC) COLLECTS AND PROTECTS YOUR PERSONAL INFORMATION
This data protection notice explains how we handle personal or sensitive data given to us, including any information we collect about you from other healthcare professionals or other organizations. Please read this notice carefully.
This notice explains:
- Information about BHAC, including our contact information.
- The types of information we retain.
- The legal basis for collecting and processing your personal information, including when we share it with others.
- How long we retain your personal information.
- What you should do if any of your information changes.
- Your rights under the Cayman Islands Data Protection Law 2017.
The Cayman Islands Data Protection Law 2017 became law on 30 September 2019. Behavioral Health Associates Cayman Ltd (BHAC) complies with this law by handling, protecting, and safeguarding your personal and sensitive in a responsible manner. This privacy notice is current from 1st January 2020 and is reviewed annually. Changes to our policies and procedures in relation to how we handle your personal information will be posted on our website and will be available and in a printed format upon request at BHAC.
Company Name: Behavioral Health Associates Cayman Ltd.
Medical Facility Registration #: HPC/HCF/139
Physical Address: 62 Hospital Road, Unit B George Town, Grand Cayman
Mailing Address: P.O. Box 10509, Grand Cayman KY1-1105, Cayman Islands
BHAC is a Data Controller of your information, which means we are responsible for collecting, storing, and handling your personal and healthcare information when you register as a patient. There may be times when we also process your information, which means we use it for a particular purpose and on those occasions, we are Data Processors. The purposes for which we use your information are set out in this notice.
Data Controller: Heather Lockhart, Chief Operating Officer
Practice Administrator: Charmaine Elias, Administrator
Types of Information Collected
The types of information we collect includes personal data and sensitive personal data.
Personal data is any information relating to a living individual who can be directly or indirectly identified. Sensitive personal data is personal data consisting of:
- the racial or ethnic origin of the data subject;
- genetic data of the data subject;
- the data subject’s physical or mental health or condition;
- medical data;
- the data subject’s sex life;
- the data subject’s commission, or alleged commission of an offence; or any proceedings for any offence committed, or alleged, to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Islands or elsewhere.
We collect information that is necessary and relevant to provide you with medical care and to appropriately manage our medical practice. The information we will collect about you will include:
- Personal: Including name, age, date of birth, gender, mailing address, residential address, contact telephone numbers and email address.
- Next of Kin: Including name, telephone number and relationship to you.
- Employment: Including employer’s name, address, telephone number.
- Health Insurance: Including the name of the insurance company, the policy owner, the policy number and your insurance identification number. The contact name and number of the person responsible for the bill if it is unpaid will also be collected.
- Appointments: Details of appointments and encounters with our providers including notes about visits and details of your treatment and care and proposed treatment plans including referrals and prescriptions and tests ordered.
- Health: Personal and family medical history.
- Financial: Debit and Credit Card Information.
- Outgoing Information: Including referrals, and prescriptions and correspondence e.g., with health insurance providers.
- Incoming Information: Including information received from other healthcare professionals and medical facilities, caregivers, and relatives. Also, information received from health insurance providers, government agencies, and other organizations.
- Test results: Including assessments, pathology, and laboratory reports.
The Legal Basis for Collecting and Processing Your Information and When we Share it with Others
Our data collected will be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are collected and/or processed. We need your personal, sensitive, and confidential data in order to provide you with healthcare services. You will be asked to give consent to collect and process your personal and sensitive personal data. The lawful purposes for collecting and processing your information include:
- Legal obligation: The processing is necessary for the Practice to comply with a law;
- Vital interests: The processing is necessary to protect an individual’s life;
- Public functions: The processing is necessary for the Practice to perform a public function, or a function of a public nature exercised in the public interest;
- Legitimate interests: The processing is necessary for legitimate interests pursued by the data controller or a third party;
- Legal proceedings: The processing of sensitive personal data is necessary for legal proceedings, legal advice, or legal rights;
- Medical: The processing of sensitive personal data by a health professional or someone who owes an equivalent duty of confidentiality is necessary for medical purposes. “Medical purposes” includes the purposes of preventative medicine, medical diagnosis, the provision of care and treatment, and the management of healthcare services. Your information will not be further processed in any manner incompatible with the stated purposes.
How We Collect Your Information
We collect information in various ways, such as over the phone, in writing, in person in at our practice, or over the internet if you transact with via our telemedicine service. This information may be collected by medical and non-medical staff. Wherever practicable we will only collect information from you personally. However, we may also need to collect information from other sources such as general practitioners, treating specialists, psychiatrists, psychologists, or other health care providers or medical facilities. In emergency situations, we may need to collect information from your relatives or friends.
How We Use and Disclose Your Information
We collect and hold data about you for the purpose of providing safe and effective healthcare. We will treat your personal information as strictly private and confidential. Sensitive clinical data including medical notes is only accessible by clinical staff. We will only use or disclose it for purposes directly related to your care and treatment, or in ways that you would reasonably expect us to use it for your treatment, e.g., the disclosure of assessment results or medication history. To ensure we provide you with the best possible care, we may need to share information with other healthcare providers outside of BHAC when we order laboratory, diagnostic, or preventative tests or assessments, and when we make a referral. Information may be provided to:
- Laboratories and imaging centers.
- Other medical facilities including doctors, nurses, and support staff who may be authorized to receive the information.
- Other persons involved with your care such as relatives, friends, and caregivers if consent has been given to release information to them.
- Insurance providers, e.g., when we submit a claim on your behalf for services rendered or request precertification of services.
You can withdraw consent to provide information to any one of the entities above, but this may result in a delay of care or subject you to payment in advance for the services you receive at BHAC, or from its providers. We may also be required to share your information with third parties. This includes the Police, the Courts, insurers, attorneys, or government regulatory bodies.
We may disclose information about you to outside contractors to carry out activities on our behalf such as an IT service provider, solicitor, or debt collection agent. We impose security and confidentiality requirements on how they handle your personal information. Outside contractors are required not to use information about you for any purpose except for those activities we have asked them to perform.
Accuracy of Information
We make every effort and take all reasonable steps to ensure that the data we process is accurate and up to date. However, it is your responsibility to advise BHAC of any change in your information– particularly your name, mailing address, telephone number, email address, insurance provider, and next of kin.
You have the right to request that BHAC rectifies, blocks, erases, or destroys inaccurate data without delay. You can make a request for rectification verbally or in writing. The request does not have to be to a specific person.
Accessing Your Data
You have the right to view or have a copy of the data we hold, with some exceptions. You do not need to give a reason for your request. If you want to see your medical records you may apply to do so in writing. You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation, but we will require your clear consent to be able to do this.
There may be a fee associated with this if the time involved in responding to the request is excessive. If you wish to have a copy of the information we hold about you, please contact our front desk. Please note we have 15 days to respond to your request.
You have the right to ask for your information to be removed, however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.
Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.
Your data may be stored in a combination of paper and electronic formats including medical records recorded in writing and on paper and in an electronic medical record system.
Data will be deleted when it is no longer needed in any given format, e.g., if copies of a medical record is received by fax, the fax will be shredded once the document has been imported into your electronic medical record. The Practice will maintain your medical records for a period of ten (10) years after your last encounter at the Practice.
Transfer of Information
As part of BHAC’s Disaster and Recovery Plan, our electronic medical records are stored in a secure, encrypted, cloud-based electronic medical record system.
With your consent medical records may be transferred to non-EU countries, e.g., if medical records are required by a medical facility in the United States for continuity of care. Data may also be transferred in other circumstances as laid out in the Data Protection Act.
Safety and Confidentiality of Information
BHAC will take appropriate technical and organizational measures against unauthorized or unlawful processing of your personal data, and against accidental loss or destruction of, or damage to your personal data.
Personal information that we hold is protected by:
- Securing our premises;
- Placing passwords and varying access levels on databases to limit access and protect electronic information from unauthorised interference, access, modification and disclosure;
- Providing locked cabinets and rooms for the storage of physical record;
- Storing electronic medical records in a secure, encrypted, cloud-based electronic medical record system.
Everyone working for BHAC is subject to a confidentiality agreement. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law. BHAC staff are required to protect your information and keep it confidential.
We also ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.
We regularly review and update our processes and systems and we also ensure that our staff is properly trained.
Your Rights Under The Data Protection Law
The law grants you the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to stop/restrict processing
- The right to stop direct marketing
- The right in relation to automated decision making and
- The right to complain and seek compensation.
If you have a concern about the way we handle your personal data or you have a complaint about our processes and procedure, or how we have used or handled your personal and/or healthcare information, then please contact our Data Controller in writing. Upon receipt of a complaint we will consider the details and attempt to resolve it in accordance with our complaints handling procedures.
You also have the right to complain to the Ombudsman about any perceived violation of the Data Protection Law, and to seek compensation for damages in the courts.
If you are unclear about how we process or use your information or have questions relating to the protection of your data, please contact our Administrator Charmaine Elias.