LEGAL

OPEN MEDICAL PRIVACY POLICY - UK

How do we manage and protect information about you?

Open Medical® collects information about patient users of the Pathpoint platform to help your health provider give you the best possible care. We aim to maintain full and accurate records of the care provided for you and keep this information confidential and secure.

How do we access your demographic information?

If you are receiving care from a health or care organisation then that organisation may share your NHS number with other organisations providing your care. This is so that the health and care organisations use the same number to identify you while providing your care. The health and care organisations can work together more closely using the same number to improve your care and support.

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England controls any personal information you provide to NHS England to get an NHS login account and verify your identity and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS England’s Privacy Notice and Terms and Conditions, please visit this link Codes of Practice for handling information in health and care. This restriction does not apply to the personal information you provide to us separately.

You have the right to object to the processing of your NHS Number in this way. This will not stop you from receiving care but will result in the benefits outlined above not being realised.

To help you decide, the health or care organisation will discuss with you how this may affect their ability to provide you with care, and any other options that you have.

If you wish to opt out from the use of your NHS Number in this way, please visit https://www.nhs.uk/your-nhs-data-matters/ or contact us via email at ig@openmedical.co.uk for further guidance. We will deal with your request within two weeks of receiving confirmation from your healthcare provider that it has accepted your opt-out request.

The organisation will share information only to provide health and care professionals directly involved in your care access to the most up-to-date information about you. Access to information is strictly controlled, based on the role of the professional. For example, social workers will only have access to information that is relevant to the execution of their care duties.

Case management systems are provided by system suppliers, who are bound by the same rules. In such cases, systems may access the Personal Demographic Service (PDS) directly or use third-party software to access the PDS, such as the PDS FHIR API.

PDS FHIR API

Your NHS number is accessed through an NHS England service called the Personal Demographic Service (PDS). A health or care organisation sends basic information such as your name, address and date of birth to the PDS to find your NHS number. Once retrieved from the PDS, the NHS number is stored in our case management system. These data are retained in line with our record retention policies and under the Data Protection Act 1998, Government record retention regulations and best practices. Further information is available on our website.

We will share information only to provide health and care professionals directly involved in your care access to the most up-to-date information about you. Access to information is strictly controlled, based on the role of the professional, and where the user has a direct care relationship with you.

The use of joined-up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care. Delays in discharge (commonly known as bed blocking) can occur because details of social care involvement are not readily available to the staff on the hospital ward. The hospital does not know who to contact to discuss the ongoing care of a patient. The linking of social care and health information via the NHS number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is. Ongoing care can be planned earlier in the process because hospital staff will know who to talk to.

You have the right to object to the processing of your NHS number in this way. This will not stop you from receiving care but will result in the benefits outlined above not being realised. To help you decide, we will discuss with you how this may affect our ability to provide you with care, and any other options that you have.

If you wish to opt out from the use of your NHS Number in this way, please visit https://www.nhs.uk/your-nhs-data-matters/ or contact us via email at ig@openmedical.co.uk for further guidance. We will deal with your request within two weeks of receiving confirmation from your healthcare provider that it has accepted your opt-out request.

What information do we collect?

We collect information about you such as your name, address, NHS number, GP and contact details (including your email address and mobile number where you have provided these) alongside any health-related information required for the delivery of healthcare services, for example:

  • Details and records of treatment and care, including notes and reports about your physical or mental health

  • Results of X-rays, blood tests and diagnosis

  • Information on medication or any allergies

  • Any other relevant contact details, for example, a family member

  • Clinical photographs (dedicated consent will be obtained by the clinician)

We may also collect personal sensitive information such as your ethnicity, religion, and sexuality so that we can build up a complete picture of you to enable the clinical staff to provide you with the best care possible and to effectively deliver your treatment and care needs.

We may also receive written or electronic information about you from other health and social care providers to support the care you receive. This will enable your doctors to provide the appropriate care and treatment that you need. We might also collect information to monitor the provider’s compliance with their legal obligations relating to equality and diversity. This information will be recorded electronically on a computer or other electronic device.

Who processes your information?

We process your information on behalf of your healthcare provider to facilitate the provision of healthcare services. We may also engage in the processing of your data to facilitate the delivery of our services.

How do we use the information we collect to help you?

We may use the information we collect to help your healthcare provide to deliver services to you in the following ways:

  • Doctors, nurses or healthcare professionals involved in your care need accurate and up-to-date information about you to assess your health and deliver the care you need

  • To ensure information is available if you need to be referred to another health professional or if you move to a different area

  • To assess the type and quality of care you have received and require in the future To support clinic and treatment appointments by sending you electronic and or paper-based appointment reminders

  • To ensure your concerns can be properly investigated if you are unhappy with the care you have received

On what basis are we entitled to process your information?

We process your information on behalf of your healthcare provider which is lawfully permitted to this data as there is a legal obligation for them to do so under various legislation, including the NHS Act (2006) and the Health and Social Care Act (2012), among others referenced in the schedules of the Information Security Policy. It also processes your information as an authority acting in the public interest according to Article 6 of the UK GDPR. Information about your health or care is known as “Special Category Data” under the data protection legislation and healthcare providers are lawfully entitled to process this data as an authority to provide you with care when undertaking health research. You do have the right to say “no” to the use of your information but this could have an impact on your healthcare provider’s ability to provide you with care.

Do we share information about you with anyone?

There are times when it is appropriate for us to share information about you and your healthcare with others. We may lawfully share your information with the following:

  • GPs

  • NHS Trusts and other healthcare providers

  • Department of Health

  • NHS England clinical records

  • Local Child Health Information Service – a regional programme which supports the transfer of child

  • NHS England – an organisation that utilises technology and information systems to support the delivery of patient care across the NHS

  • Health Research Authority – to support research in health and social care. The HRA has published their privacy statement for patients https://www.hra.nhs.uk/about-us/governance/privacy-notice/

We may also need to share your information with other non-healthcare organisations, where it is required in compliance with legal duties. For example, where you are receiving care from a local authority, we would need to share your information with a social worker to support the provision of your care. Other occasions where we may need to share your information include:

  • Reporting some infectious diseases

  • To help prevent, detect or prosecute serious crime

  • If a court orders us to do so

  • When you have expressly agreed – e.g. for medical insurance

  • Registering births or deaths

  • If there is a concern that you may be putting either yourself, another person (including a health or social care professional) or a child at risk of harm

  • Where information is shared with non-healthcare organisations we may request that they enter into an information-sharing agreement to ensure that the information shared with them is handled appropriately and complies with the relevant legislation. The information from your patient record will only be used for purposes that benefit your care – we would never share your personal information for marketing or insurance purposes.

In all cases where we must pass on healthcare-related information, we will only share the minimum amount of information required. Anyone who receives information also has a legal duty to keep it confidential.

If you need further information on how your data is shared please email our Data Protection Officer at the contact details below.

How else could your information be used?

Your information may also be used to help us:

  • Review the care provided

  • Audit accounts or services

  • Arrange payments for the person who treats you

  • Prepare statistics or other performance data on the quality of care being delivered

  • Investigate incidents, complaints or legal claims

  • Facilitate research and development

  • Make sure our services can meet patient needs in the future

  • Teach and train healthcare professionals

Your data will not be transferred outside the European Economic Area to “Third Countries”

What if I object to your processing of my information?

The GDPR confirms that you have the right to object to the processing of your information. Any objection made by you to the processing of your data will be considered by the healthcare provider’s Data Protection Officer, who will decide whether or not we should cease processing your data. You have the right to make a complaint to the ICO if you disagree with the decision, or you may be able to bring legal proceedings to appeal the decision should you wish to do so.

GDPR also contains a general right to request that an organisation erase personal data, however, this might not apply to data which is being processed to deliver healthcare.

The recently introduced national data opt-out programme allows a patient to choose if they do not want their confidential patient information to be used for purposes beyond their care and treatment i.e. for research and planning.

You can set your own opt-out choice which will be recorded by the provider and passed on to Open Medical who will take action to respect that choice.

We will deal with your request within two weeks of receiving confirmation from your healthcare provider that it has accepted your opt-out request

Can you see the information we collect about you?

The data protection legislation gives you the right to know what personal data we hold about you, what we use it for and if the information is to be shared, who it will be shared with.

You have the right to apply for access to the information we hold about you free of charge and we must provide this information in a format that is accessible to you and in a way that you can understand. Your request must be made in writing and we may ask you to provide proof of identity before we can disclose personal information.

In certain circumstances your right to see some details in your health records may be restricted, for example, if the information refers to someone else who hasn’t given their permission, or could cause physical or mental harm to you or someone else (including any health or social care professional) were it to be disclosed; or if the information is being used to detect or prevent crime.

After having viewed your records, if you believe any information is inaccurate, please inform us of this in writing and we will take steps to rectify any inaccuracies as quickly as possible and within one month maximum.

Open Medical also collects information about the employees and/or other approved or contracted end users of the healthcare provider(s) and/or any other organisation commissioning the Pathpoint platform, to enable those users to access the Pathpoint platform via secure password-protected portals. Where such a user wishes to exercise any rights about his/her data as held on the Pathpoint platform, they should in the first instance contact the healthcare (or other) organisation commissioning and governing their use of the Pathpoint platform. Open Medical will then act upon instructions from the commissioning organisation, which is almost exclusively the Data Controller of this held data, within two weeks of receiving any instructions as it relates to such user data.

How do we keep your information safe?

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information. We protect your information in the following ways:

Training - Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information. Staff are also obliged to undertake regular training in data security and confidentiality on an annual basis to demonstrate that they understand and are complying with our policies on confidentiality.

Access controls - Staff only have access to patient-identifiable information where it is relevant and necessary for them to do so.

Audit trails - We keep a record of anyone who has created, accessed, or updated a health record.

Investigation - If you believe your information is being viewed inappropriately we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, or bringing criminal charges.

Legislation - There are laws in place to protect your information, including the General Data Protection Regulation (2016), the Data Protection Act (2018) and the Human Rights Act (1998).

Data Protection Officer (“DPO”) – Our Data Protection Officer’s role is to ensure that we have in place appropriate mechanisms and procedures to protect your information and to ensure that personal data is processed lawfully.

Compliance with HIPAA and SOC 2

Open Medical is committed to upholding the highest standards of privacy and data protection as mandated by the Health Insurance Portability and Accountability Act (HIPAA) and the Service Organisation Control 2 (SOC 2) framework.

HIPAA Compliance

Our Privacy Rule is designed to ensure that we handle protected health information (PHI) in compliance with HIPAA regulations. We implement comprehensive policies and procedures to safeguard the confidentiality and integrity of your personal health information. This includes ensuring that only authorised personnel have access to PHI, conducting regular training for our staff on HIPAA compliance and establishing secure methods for the collection, storage, and transmission of sensitive data. We also maintain appropriate safeguards to prevent unauthorised access and data breaches.

Our obligations to covered entities (CEs) are provided through our Business Associate Agreements (BAAs) and comply fully with HIPAA requirements. Please see your health care providers

SOC 2 Compliance

Open Medical adheres to the SOC 2 framework, which emphasises the principles of security, availability, processing integrity, confidentiality and privacy. Our Privacy Rule is aligned with these principles, ensuring that we implement robust controls to protect your personal information throughout its lifecycle. We undergo regular audits to assess our compliance with SOC 2 criteria, which reinforces our commitment to maintaining a secure environment for data processing and management.

Through our adherence to HIPAA and SOC 2, Open Medical demonstrates its dedication to protecting patient privacy and maintaining the trust of our clients and stakeholders. We continually assess and improve our privacy practices to meet regulatory requirements and the expectations of those we serve.

Our DPO and Privacy Officer may be contacted at:

Postal address: Open Medical Ltd, CP House, 97-107 Uxbridge Road, London W5 5TL

For further advice or to report a concern directly to the UK’s information regulatory authority you can contact ICO at:

  • Postal address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

  • Telephone: 0303 123 1113

  • Website: www.ico.org.uk

If you wish to opt-out from the sharing and use of your NHS Number by multiple healthcare providers involved in your care, please visit https://www.nhs.uk/your-nhs-data-matters/ or contact us via email at