EUROPEAN UNION PATIENT FAIR PROCESSING SUPPLEMENTAL PRIVACY NOTICE

Houston Methodist is committed to processing your personal data responsibly and in compliance with Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”).

This Houston Methodist European Union Fair Processing Supplemental Privacy Notice (the “Supplemental Privacy Notice” or “Notice”) explains how Houston Methodist collects, processes, transfers and discloses, either directly or through its affiliates, your Personal Data (as defined further below) for the purposes of treatment, payment and health care operations, as further described in this Notice. This Supplemental Privacy Notice also describes the rights you have regarding Houston Methodist’s use of your Personal Data, the measures Houston Methodist takes to protect the security of the data, and how you can contact Houston Methodist regarding its data protection practices.

 

This Notice supplements the Houston Methodist Joint Notice of Privacy Practices, available at https://www.houstonmethodist.org/for-patients/patient-resources/patient-right-privacy/. To the extent that there are any inconsistencies between both notices, the terms of this Notice shall prevail over the terms of the Joint Notice of Privacy Practices.

 

This Supplemental Privacy Notice applies to you if:
You are a person who is physically present in the EEA;
You provide to us Personal Data while you are physically present in the EEA; and
You provide to us your Personal Data while Houston Methodist provides health care services to you.
 
Who are the Data Controller and the Data Protection Officer (“DPO”)?

 

The entity responsible for determining the purposes and means of the processing of your personal data in connection with your medical care or treatment is Houston Methodist. As such, Houston Methodist qualifies as the so-called “Data Controller” and is therefore responsible for compliance with GDPR requirements. Houston Methodist can be contacted as follows:

 

Houston Methodist    Houston Methodist’s EU Representative
The Methodist Hospital     IITR Cert GmbH
 6565 Fannin Street     Eschenrieder Str. 62 c
 Houston, TX 77030                D-82194 Gröbenzell
 USA    Germany

 

Houston Methodist’s DPO can be contacted as follows: via mail at 1130 Earle Street, AX200, Houston, TX 77030, USA; or email at privacy@houstonmethodist.org

 

What is “Personal Data” and which categories of Personal Data are processed by Houston Methodist?

 

“Personal Data” means any information relating to an identified or identifiable natural person including the categories of information identified in this Section.
In order to provide healthcare services to you, Houston Methodist will process the following categories of Personal Data about you: first and last name; home address; telephone number; email address; financial information, including but not limited to credit and debit card numbers, tax information, and financial assistance information; passport and visa information; and insurance information.

 

In addition, to fulfill the purposes listed below, Houston Methodist will also process special categories of Personal Data about to you. Special categories of Personal Data consist of data revealing racial or ethnic origin, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation (also known as “Sensitive Data”). Categories of Sensitive Data Houston Methodist will process about you include: medical history; medical records; results of laboratory tests, x-rays, and other tests or physical examinations; and medication record.

 

For which purposes will Houston Methodist process your Personal Data?

 

We need your Personal Data for a number of purposes which are identified in the table below, together with the categories of Data that are needed for each purpose and what we need as a basis for such processing.

 

What are the purposes for processing your Personal Data?

 

On what basis will we process your Personal Data?

     

To assess your clinical needs, coordinate your future care, and schedule your treatment

 

We need your explicit consent to process your Personal Data for this purpose.

     

To facilitate the provision of medical treatment to you, filing of claims for payment, and the performance of health care operations on you. Health care operations include the programs and activities of Houston Methodist such quality and service improvement; health care delivery review; staff performance evaluation; competence or qualification review of health care professionals; education and training of physicians and other health care providers; and business planning and development, business management and general administrative activities.

 

We need your explicit consent to process your Personal Data for this purpose.

     

To communicate with you via newsletters, mailings or other means regarding treatment options, health-related information, disease-management programs, wellness programs, or other community-based initiatives or activities in which Houston Methodist participates

 

We will need your explicit consent to process your Personal Data for this purpose.

     

To respond to judicial orders, subpoenas, agency requests, or law enforcement pursuant to judicial or administrative proceedings, investigations, or official requests

 

We are entitled to process your Personal Data for this purpose because we are required by law to do so and because we have an interest in preventing fraud and abuse and complying with the law.

     

To comply with public health and health oversight reporting obligations

 

We are entitled to process your Personal Data for this purpose because we have an interest in disclosing your Personal Data when required by law for purposes deemed to be in the public interest or benefit, including health and safety.


The provision of your Personal Data is a requirement necessary in order for Houston Methodist to provide healthcare services to you. If you refuse to provide us with your Personal Data we will not be able to provide such services to you at the Houston Methodist.

 

Houston Methodist will not use your Personal Data for any purpose that is not included, or is incompatible with the purposes described in this Notice, unless it is required or authorized by law or you consent to such processing.

 

Which categories of recipients will receive your Personal Data? 

 

Houston Methodist personnel – Your Personal Data will be processed by Houston Methodist employees, staff, medical professionals, and researchers in the United States if this is necessary or anyway useful to carry out the purposes identified in the table above.

 

Houston Methodist-affiliated organizations – Houston Methodist will share your Personal Data with its affiliated organizations in the United States consisting of affiliated physician groups or health care providers, educational institutions, and quality improvement programs, as may be necessary to carry out the purposes identified in the table above.

 

Third parties – Where required and allowed by applicable law, Houston Methodist will share your Personal Data with third parties such as U.S. and foreign government entities, consultants, or private insurance payers to facilitate access to funding sources.

 

Your Personal Data will not be made available through the Houston Methodist Care Everywhere Health Information Exchange (HIE) to other care providers such as hospitals, laboratories, and physicians.  This statement supersedes the HIE provisions included in the Joint Notice of Privacy Practices.

 

What are your rights as a Data Subject?

 

As a Data Subject under the GDPR, you have certain rights. This Supplemental Notice summarizes what these rights are and how you can exercise these rights.

 

Right of access

 

You have the right to request that Houston Methodist confirm whether it is processing your Personal Data or not. If Houston Methodist is processing your Personal Data, you have the right to review and obtain a copy of your Personal Data.

 

Right to request an amendment to your Personal Data

 

In the event that the Personal Data we have about you is incorrect or incomplete, you have the right to request that Houston Methodist rectifies your inaccurate Personal Data and that it completes your incomplete Personal Data.

 

Right to restriction of processing

 

You have the right to request that Houston Methodist restricts the processing of your Personal Data where such Personal Data is inaccurate, the processing is unlawful, or Houston Methodist no longer needs your Personal Data. If Houston Methodist grants your request to restrict processing, Houston Methodist will only process that Personal Data with your consent, for the protection of rights or another natural or legal person, for reasons of important public interest, for the establishment, exercise or defense of legal claims, or as otherwise required by applicable law.

 

Right to data portability

 

Where the basis for processing is consent and where the processing is carried out by automated means, you have the right to receive your Personal Data that you have provided to Houston Methodist and to transmit such data to another “Data Controller”. In this case, Houston Methodist will provide your Personal Data in a structured, commonly used, machine-readable format. Where technically feasible and upon your request, Houston Methodist will transmit your Personal Data directly to another entity.

 

Right to withdraw consent

 

If the basis for processing your Personal Data is consent, you may revoke your consent at any time by sending a written notice to our DPO. Upon receiving notice of your revocation of consent, and if there are no other legal grounds for the processing, Houston Methodist will stop processing your Personal Data. Please note that the withdrawal of your consent has effect for the future and it therefore does not legally affect the processing operations conducted prior to withdrawal.

 

Right to object to data processing

 

You have the right to object to the processing of your Personal Data in the following situations:

If the basis for processing your Personal Data is legitimate interests, you have the right to object to the processing of your Personal Data. Houston Methodist will stop processing your Personal Data unless it demonstrates overriding legitimate grounds for processing or the processing is necessary for the establishment, exercise, or defense of legal claims.

 

If Houston Methodist is using your Personal Data for direct marketing purposes, you have the right to object at any time and Houston Methodist will honor your request.

 

Right to erasure

 

You have the right to request the erasure of Personal Data that Houston Methodist maintains about you in certain circumstances. Subject to applicable laws and Houston Methodist policies, and provided that there are no overriding legitimate grounds for Houston Methodist to retain the Personal Data, Houston Methodist will comply with your request and will inform any third parties with whom the Personal Data was shared, except where this proves impossible or involves disproportionate efforts.

 

Right to lodge a complaint

 

You have the right to lodge a complaint with a supervisory authority in the EU if you believe Houston Methodist’s processing of your Personal Data violates the GDPR.

 

In addition to the rights provided by the GDPR, you may also have rights with respect to your Personal Data pursuant to United States law, Texas law, or Houston Methodist policy. When you submit a request to Houston Methodist to exercise your rights, Houston Methodist will respond in accordance with existing Houston Methodist policies and procedures implementing relevant privacy laws pertaining to medical records maintained by Houston Methodist.

 

International Data Transfers 

 

In order to receive medical care and/or treatment at Houston Methodist, you must disclose and transfer your Personal Data to Houston Methodist, which is based in the United States and subject to United States and Texas law. By sending your Personal Data to Houston Methodist, you are sending your Personal Data to the United States, where a different data protection regime applies and which is considered by the EEA as a country which does not provide an adequate level of protection of Personal Data. This means that your Personal Data will not receive a protection equivalent to the protection it would receive in the EEA.

 

How is your Personal Data secured and how long is it kept?

 

Houston Methodist and entities acting on Houston Methodist’s behalf will maintain appropriate technical and organizational measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

 

Your Personal Data will only be retained for as long as it is necessary to achieve the purposes listed in the above table, or alternatively, until you object to the processing of your data or withdraw your consent which you have previously provided. However, where Houston Methodist is required by law, (such as for statutory obligations, as reflected in our Record Retention Policy, or under tax law, labor law, hospital licensing laws, or other applicable United States and Texas laws) to retain your Personal Data longer, or where your Personal Data is required for Houston Methodist to assert or defend against legal claims, we will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.

 

Questions?

 

If you have any questions about the information contained in this Supplemental Privacy Notice or would like to exercise any of your data subject rights, please contact our DPO via mail at 1130 Earle Street, AX200, Houston, TX 77030, USA; or email at privacy@houstonmethodist.org.