Patient privacy disclosure (long text)

Dear Patient,

Please find below some of the provisions of EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (“Regulation“) on how the UPMC Hillman Cancer Center at Villa Maria collects and utilizes your data.

WHAT IS UPMC HILLMAN CANCER CENTER AT VILLA MARIA? WHY WILL MY DATA BE TRANSFERRED ABROAD?

UPMC Italy S.r.l. (hereinafter “UPMC”) manages the “UPMC Hillman Cancer Center at Villa Maria” (hereinafter “Center”) that offers cancer patients innovative radiotherapy treatments and advanced care protocols, such as Image Guided Radiation Therapy (IGRT/IMRT) and stereotactic radiosurgery. The Center achieves excellence thanks to a multidisciplinary approach to cancer treatment, major investments in research and innovation, and particularly to daily exchanges with the University of Pittsburgh, UPMC (University of Pittsburgh Medical Center), and UPMC’s network of cancer centers (over 60 centers in the United States and two in Italy – hereinafter jointly referred to as “UPMC Cancer Network“). In its day-to-day operations the Center also utilizes data networks and information technology systems shared with the UPMC Group. As a consequence, patients referring to the Center are required to authorize the transfer of their data, including sensitive data, to the UPMC Group in the United States. According to EU regulations, the laws in force in the United States fail to guarantee adequate levels of personal data protection. Pursuant to the standard contractual clauses approved by the European Commission, the UPMC Group committed to adopt the necessary security measures to protect patient data. A copy of the standard contractual clauses is available from the Data Protection Officer (“DPO”) at the following addresses.

WHAT DATA WILL BE COLLECTED AND HOW?

The Center will ask you or third parties (e.g., your family doctor) to provide your personal data (name, address, etc.), information on your health status (diseases, lab results, diagnostic tests, ongoing therapies) and, if required, on your sex life or social and psychological scope. During your treatment it may be necessary to obtain images of you for purpose of consults performed, also using telemedicine, by external experts to assess your health status.

WHY ARE MY DATA PROCESSED?
1) In order for me to receive clinical services and also for administrative purposes

Your personal data will be collected and processed so that you may receive the necessary clinical services and also to fulfill the related administrative and accounting requirements. Data processing complies with the provisions of art. 9.2.h of the Regulation (“processing is necessary for the purposes of medical diagnosis, the provision of health or social care pursuant to contract with a health professional”).

To this extent your data may be shared with the following:

  • family doctors;
  • social security institutions, insurance companies covering the Center’s third-party liability, and professionals who may be involved in defending the Center and its staff;
  • the NHS for reimbursement of medical services, and other medical institutions monitoring and auditing the provision of clinical services;
  • institutions, bodies, and authorities supervising and monitoring the provision of clinical services; bodies such as JCI for purpose of certification, and other third parties carrying out quality audits on the clinical services provided, to promote quality improvement of services and patient care.

WHY ARE MY DATA PROCESSED?
2) To conduct scientific studies and research in the medical field (CONSENT  #1)

With the purpose of improving its clinical services and to contribute to the development of general medical knowledge, the Center is involved in research projects (both internal and in collaboration with other centers, inside and outside the European Union). Namely, the Center carries out research in the field of innovative radiotherapy techniques. Many of these studies can be conducted using information collected during standard patient care activity or in the scope of clinical studies. Participating to these research projects does not affect standard care and entails no additional tests or treatments. In order to protect the privacy, the patient’s identification data are removed from the information and clinical data used in these studies, and replaced with an alphanumerical code that does not allow to directly trace the patient’s identity. The list that allows associating this code with the patient’s personal data is owned exclusively by the principal investigator and filed as confidential documentation. The list of the ongoing studies at the Center is available at the Center and in the “Research” section of http://www.upmcvillamaria.it/en. For additional information you may request a meeting with the PI or contact info@upmcvillamaria.it.

In particular, encoded data are used during information processing and storage, and when forwarding data to other subjects involved in the studies (the list of centers involved in these studies is available from the Data processing reference person at the following addresses). Access to data directly ascribable to the patient will only take place when extracting information from the original clinical documentation, while checking for correspondence between research data and data in OPC records, or when this is required to update research data. Data and samples are transformed in an anonymous form 10 years after the conclusion of the research projects. Encryption techniques are also adopted for data storage and transfer to prevent unauthorized access. Research outcomes are spread only in aggregated form, i.e. in ways that do not render identifiable the person concerned.

In order to use a patient’s clinical information for research purposes, the patient must express his/her consent under art. 9.2.a of the Regulation (“data subject explicit consent to the processing”), as legal basis for data processing. Therefore, if you wish to allow the Center (also in collaboration with centers located in non-EU countries where an adequate level of personal data protection may not be guaranteed as per EU regulations) to use your clinical information already collected or that will be collected in the scope of patient care (or during other research projects you were involved in), please express your consent ticking the appropriate boxes at the end of this document. Please note you are free to either give or deny your consent. You may deny or withdraw your consent to the processing of your data for research purposes at any time, and this will not affect your treatment in any way.

The Center also intends to participate in research projects regulated by laws, in the areas indicated above. In order to use data in the scope of these studies patient consents are not required as these are provided for by the Regulation (art. 9.2.j “scientific research under law”).

WHY ARE MY DATA PROCESSED?
3) To verify the quality of care and treatment received and for planning care (CONSENT #2)

If you express your consent, we will use your data for monitoring and assessing the effectiveness of the clinical treatments delivered, the appropriateness and quality of care, and the risk factors for health, provided by law (for which no consent is required) and also beyond. In particular, the goal of the Center is to assess and compare the appropriateness, efficacy, effectiveness, and efficiency of care delivered to different population groups or in different facilities, also with reference to specific diseases or health issues. In order to use patients’ personal data for these purposes, it is necessary for patients to give their consent, under art. 9.2-a of the Regulation (“data subject explicit consent to the processing”), as legal basis for data processing. If you wish to authorize the Center to process your data, including data collected in the past, to conduct these important tests that could provide useful information for your treatment, please give your consent ticking the appropriate box at the end of this document. If you refuse to provide consent, we will not use your data for these tests, but you will still be able to receive care at the Center. Also, the Center will be involved in surveillance systems and registries provided for by the law. In order to use data in the scope of these studies patient consents are not required as these are provided for by the Regulation (art. 9.2.i “processing is necessary for ensuring high standards of quality and safety of health care and of medicinal products or medical devices, under the law”).

WHY ARE MY DATA PROCESSED?
4) To provide telemedicine services (CONSENT #3)

If you provide consent, the Center will process your data to provide telemedicine services (consults performed by external experts to assess your health), also with centers that are not part of the UPMC Cancer Network. The legal basis for data processing is your consent under art. 9.2-a of the Regulation (“data subject explicit consent to the processing”).

WHY ARE MY DATA PROCESSED?
5) To receive information material (CONSENT #4)

If you sign the consent you will receive information – email, sms or ordinary mail – on the Center’s projects and services, information campaigns, and fund raising initiatives (e.g., 5×1000 tax shares). For this purpose, the legal basis for data processing is the consent under art. 9.2-a of the Regulation (“data subject explicit consent to the processing”). Your data will be stored for 24 months. If you do not give consent you will not receive this information material.

WHY ARE MY DATA PROCESSED?
6) To receive instructions on how to prepare for my tests (CONSENT  #5)

If you sign the consent we will email you instructions on how to prepare for your tests and also reminders of your upcoming appointments at the Center, according to your indications. Also for this purpose, the legal basis for data processing is the consent under art. 9.2-a of the Regulation (“data subject explicit consent to the processing”). If you do not give consent you will not receive this information. You will need to retrieve them at the Center, without prejudice to your right to receive care at the Center.

HOW WILL MY DATA BE PROCESSED?

Data processing is performed using both paper and electronic tools, adopting appropriate safety measures to guarantee data confidentiality and security.

WHO WILL ACCESS MY PERSONAL DATA?

Your personal data will be processed by the Center’s clinical and administrative staff complying with specific instructions on the aim and methods of data processing, and bound by professional secrecy and confidentiality. For training purposes, clinical treatments may be performed in the presence of observers for training purposes. In this event, all necessary precautions will be taken to limit any potential inconvenience, and your will to not give your consent will be respected.

Beside the parties listed in item 1, your personal data may also be shared with third parties, who, as independent data controllers or appointed data processors, provide ancillary services to activities of the Center, such as:

  • external consultants,
  • volunteer associations for patient care activities,
  • maintenance firms, and
  • other subjects providing services instrumental to the Center’s operations.

Your personal data could be shared with Independent Data Controllers, in fulfillment of the governing law or to enforce ones’ rights through legal action (e.g., NHS, institutions, municipalities, diseases registries, or insurance companies).

The updated list of hospitals part of the UPMC Group that may receive the data, and of Data Controllers and Independent Data Controllers having access to data is available from the Data processing reference person at the Office of the Director of Health Care Activities or from the Data Protection Officer, at the addresses below.

WHO WILL BE INFORMED OF MY HEALTH STATUS?

Information regarding your health status will only be provided to your relatives and friends, without prejudice to the provisions of law.

HOW LONG WILL MY DATA BE STORED?

In addition please note your personal data will be stored for the mandatory minimum retention period established by the Region of Lombardy in the “Massimario di scarto” enforced for the health health system (Version #4, “Titolario e Massimario del Sistema Sociosanitario Lombardo, già Sistema Sanitario e Sociosanitario di Regione Lombardia” approved by Legislative decree on welfare 11466 of 17 December 2015 and subsequent additions and amendments) and by the document issued by the General Archival Office regulating the archives of local health units and hospitals (so-called Schola Salernitana), available at http://www.archivi.beniculturali.it, as emended by other sources of regulations. For more information, please contact UPMCI, UPMCIHS, or the DPO at the addresses below.

WHAT ARE MY RIGHTS ACCORDING TO LAW?

Under artt 15 et seq. of the Regulation, you have the right to obtain:

  • Confirmation that your personal data is stored in the Center’s archives, and to obtain a hardcopy or electronic copy, and information on data processing (purpose, data type, recipients, storage time, etc.).
  • Correction or integration of data.
  • Deletion of data if you withdraw your consent or if there is no juridical basis for the processing.
  • If conditions apply, obtain personal data in a structured form.

Furthermore, we remind you that you can withdraw anytime consents already provided and, if conditions apply, you may file a complaint to the Authority for the Protection of Personal Data, as supervisory Authority according to the provided procedures. A template of the request may be found on the Italian Data Protection Authority website here.

If you have provided consent to using your data for research purposes, to verify the quality and appropriateness of patient care and treatments, and to schedule clinical activity will be able to:

  • withdraw your consent to the processing of your data and biological samples for research purposes at any time, and this will not affect your treatment in any way;
  • request the rectification or integration of your data: in this case the requests will be registered without changing the data, if this has no significant impact on the study outcome;
  • request that your data used for research purposes be transformed into anonymous form;
  • obtain information on the projects in which your data have been used, and the list of the centers involved in these projects.

HOW CAN I EXERCISE MY RIGHTS?

The foregoing rights may be exercised contacting the Data processing reference person at the following addresses: UPMC Hillman Cancer Center at Villa Maria – Località Pozzillo, 83036 Mirabella Eclano (Italy) or sending an e-mail to info@upmcvillamaria.it or contacting the Center’s DPO at the following address UPMC Hillman Cancer Center at Villa Maria – Data Protection Officer, Località Pozzillo, 83036 Mirabella Eclano (Italy), or emailing DPO@upmcvillamaria.it

DATA CONTROLLER ADDRESS

The data controller is UPMC Italy, registered offices in Discesa dei Giudici 4, Palermo, Italy.

Last update: November 2018

By continuing to use the site, you agree to the use of cookies. more information