Protection of personal data/protected health information (PHI)/personally identifiable information (PII) is important to Indegene and its clients.
This policy is intended to be shared with our clients, vendors, business associates and employees so that they are aware of the policies and practices with respect to personal data/PHI/PII managed by Indegene as part of any services delivered.
Indegene is committed to protect personal information in accordance with its responsibilities under various regulatory frameworks and individual rights. As a healthcare solutions company, Indegene's leadership, management, employees and its business associates shall strive to protect personal information by:
Identifying internal and external interested parties and the extent to which they are involved in the governance of the organization's personal information management system
Providing best-in-class resources and methods to process personal information lawfully, fairly and in a transparent manner in relation to the rights of data principles or data subjects
Safeguarding the personal information by collecting, processing, storing and transmitting in forms that permit identification of individuals for nothing other than explicit, specified purposes
Providing clear information to natural persons (including special safeguards while collecting information from children) about how their personal information can be used and by whom; and by respecting individual's rights in relation to their personal information
Assuring that further processing or archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes
Processing in a secure manner that ensures protection against unauthorized or unlawful processing and against accidental loss, destruction or damage
Taking adequate steps to establish that the personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Taking reasonable steps to ensure accuracy of the personal information
Following best practices for safe data storage, transmission and destruction
Implementing appropriate backup and disaster recovery systems
Responding to personal data breaches in the most appropriate and fastest manner possible: In the events such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, Indegene shall promptly assess the risk to individual's rights and freedoms and report such breach to the Data Protection Cell (Refer to section 5:Governance Structure for Personal Data Protection) for taking further actions as per the regulatory requirements
General Provisions to This Policy:
Applicability: This policy is applicable to all personal information processed at Indegene.
Ongoing Compliance: The Data Protection Cell shall be responsible for Indegene's compliance with this policy.
Cognizance: This policy shall be made available to all employees and associates of Indegene as documented information and shall also be communicated appropriately.
This policy shall be made aware to all of Indegene's employees, its associates, and interested parties effectively.
Review: This policy shall be reviewed at least once annually.
This policy applies to all personal data/PII and PHI processed by Indegene.
This policy would be relevant to all applicable services or projects managed for Indegene's clients.
Business Associate Agreement
Refers to the agreement between the business associate (Indegene) and the covered entity.
Business Unit (BU)
Refers to different departments in Indegene.
Refers to an organization that routinely handles personal information, PII, and PHI.
Data Protection Officer (DPO)
Refers to the person heading all data privacy-related programmes and initiatives within the organization.
Refers to the project, programme or engagement conducted or performed by Indegene on behalf of its clients or covered entity.
Electronic Protected Health Information (EPHI)
Refers to all individually identifiable health information that is created, maintained or transmitted electronically.
General Data Protection Regulation (GDPR)/(EU) 2016/679
Legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).
Health Insurance Portability and Accountability Act (HIPAA)
Act of 1996 that specifies laws for the protection and use of personal (or protected) health information (PHI), which is essentially an individual's medical records.
Personal identifiable information (PII)
Refers to any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered as PII. Any information about an individual's identity such as their name, social security number, date and place of birth, mother's maiden name and biometric records can be considered as PII.
PII also can constitute “PHI” under HIPAA Act of 1996.
Refers to the part of the HIPAA rule that addresses the saving, accessing and sharing of medical and personal information of an individual, including a patient's own right to access.
Refers to any information that identifies an individual AND relates to:
The individual's past, present or future physical or mental health; OR
The provision of healthcare to the individual; OR
The past, present or future payment for healthcare.
Privacy Single Point of Contact (SPOC)
Refers to the person monitoring the personal data/PII/PHI management under each BU.
Refers to the part of the HIPAA rule that outlines national security standards intended to protect health data created, received, maintained or transmitted electronically.
Refers to the single point of contact/point persons.
Preselected website that can automatically send updated information for immediate display or viewing on request.
Special categories of personal information
The following types of data are categorized as special categories of personal information:
Racial or ethnic origin
Religious or philosophical beliefs
The processing of genetic information