Effective Date: January 1, 2008
Last Modified: August 28, 2015
Epic Systems Corporation and its controlled affiliates provide Healthcare Information Software to the healthcare industry. While helping our customers to install and use our software, Epic employees sometimes need to access personal information (including sensitive health information) that is stored in our customers' healthcare information software systems. Epic employees only access this information with explicit permission from our customers.
We take very seriously our obligation to protect the confidentiality of, and to limit uses and disclosure of, such personal information.
Epic complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework, each as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. Epic has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Epic's certifications, please visit http://www.export.gov/safeharbor/.
This policy is intended to inform people in the EU and Switzerland about the safeguards we have in place for protecting this personal information.
Notice and Choice
We know it's important to you to understand what will happen to your personal information. Although Epic itself does not collect that information from you directly, we do require that our EU and Swiss customers comply with the Notice and Choice standards applicable in the EU and Switzerland, respectively. That means that our customers notify you of the purposes for which your personal information is collected, the uses to which it will be put and the types of third parties to which it may be disclosed. In addition, when required to do so under the applicable EU or Swiss standards, as applicable, our customers offer you choices about whether your personal information will be disclosed to third parties or used for any purpose incompatible with those for which it is collected or subsequently authorized.
We do not provide your personal information to other third parties unless they also adhere to the seven EU and Swiss Safe Harbor principles or they've entered into a written agreement with us that provides the same level of protection. If we do provide your information to such third parties, we do so only for the same uses for which we are authorized (i.e., to assist in our EU or Swiss customers' to install and use our software).
Access, Security and Data Integrity
We do not ordinarily retain, hold or maintain the information about you to which we might have access while supporting customers; instead, your information typically resides on and is maintained within our customers' systems. Nevertheless, in the event that we were to receive such personal information for the purpose of maintaining or storing the information on any Epic system for active live or archival use related to our customer's operations (as opposed to the receipt and storage of data that occurs incidentally in the course of supporting our software), we will comply with all reasonable instructions from a customer to correct, amend or delete your information, or to provide you access to your information. We also expect our EU and Swiss customers to comply with the Access standards applicable to them in the EU or Switzerland.
We also take reasonable and appropriate precautions (a) to protect personal information in our possession from loss, misuse, unauthorized access, disclosure, alteration and destruction; and (b) to ensure that such information in our possession is reliable for its intended use, accurate, complete and current.
Enforcement / Inquiries
We train our employees on the requirements of this policy, and regularly communicate to them about the proper uses, disclosure and handling of personal information. Any Epic employee who violates this policy, or fails to report any violation of which they are aware, is subject to appropriate disciplinary action, which can include termination. In addition, we periodically undertake an objective self assessment of the accuracy of this policy and our conformance with its requirements.
Individuals in the EU or Switzerland who have concerns about our use, disclosure or handling of their personal information are encouraged to contact our EU/Swiss Safe Harbor Compliance Program Monitor by emailing firstname.lastname@example.org. We'll work hard to address those concerns, and, if needed we'll cooperate with Data Protection Authorities in the EU or the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland, as applicable, in the unlikely event we're unable to otherwise resolve a complaint you raise concerning our compliance with this policy.
We may make changes to this policy from time to time. If we do, such changes will remain consistent with the requirements of the Safe Harbor Principles, and will reflect our continued commitment to protect your privacy while helping our customers provide even better healthcare to all their patients.