This Privacy Policy covers Entra Health Systems LLC which is a subsidiary of CRF Inc.

               Parent Corporation: CRF Inc.
               DBAs:
               Subsidiaries: Entra Health Systems
               CRF Inc.’s main corporate privacy policy can be found at www.crfhealth.com/privacy/

 

1. Purpose

The overall purpose of this Privacy Policy is to outline the responsibilities and procedures that are in place to ensure the privacy and confidentiality of all personally identifiable data and sensitive information (“Personal Data”) provided to, or collected and processed by Entra Health Systems (EHS) online web data, customer and help desk collection software or personnel.  EHS does not collect any patient data.  All that may be collected is the Site & patient ID used to identify an association to an EHS provided device.  Note that EHS goal is not to collect patient (trial subject or end user) identifiers other than, for clinical trial subjects’ site and subject number.

This Privacy Policy is associated with the Internet Privacy Policy & Cookie Policy (which deals with personal information that is collected via our publicly accessible website), but this Policy only pertains to Personal Data collected via EHS data software website www.myhealthpoint.com and other activities further described herein.

This Privacy Policy is comprised of multiple sub-policies listed below:

  1. European General Data Protection Regulation (“GDPR”) assuring EU privacy via contracted Model Clauses.
  2. The US Health Information Portability & Accountability Act – HIPAA.
  3. The EU-U.S. Privacy Shield and Swiss-US Privacy Shield programs.

EHS respects individual privacy and values the confidence of its customers, employees, clinical trial participants, consumers, business partners and others. EHS strives to collect, use and disclose Personal Data in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices.

EHS may receive Personal Data from outside of the European Economic Area (EEA), Switzerland, or the U.S. Typically, this would be from customer or suppliers and this Privacy Policy would be applied in respect of Personal Data, unless stricter local requirements, as identified with the information supplier or superseded in a contract. This Privacy Policy applies to Personal Data held by EHS or CRF Health (parent company) for:

  1. All individuals who provide Personal Data including (but not limited to); customers, investigator site staff, clinical trial subjects, suppliers, job applicants and employees (past and present).
  2. EHS location in El Cajon, CA USA.
  3. Personal Data, in all media, from the point of receipt by EHS through processing and to final disposition (e.g., destruction or transfer of ownership of that data).

The EHS systems are developed and maintained in a manner that will ensure that EHS conducts its business in compliance with applicable data protection and confidentiality regulations and laws.

2.Definitions

For purposes of this Privacy Policy, the following definitions shall apply as defined in the U.S. and EU:

a)      CRF HEALTH

Means CRF Inc., its successors, subsidiaries, divisions and groups.  The parent company of EHS.

b)     EHS

Means Entra Health Systems LLC, its successors, subsidiaries, divisions and groups.

c)      EUROPE, EU, EUROPEAN ECONOMIC COMMUNITY (EEC), or EUROPEAN

Refers to a country in the European Union.

d)     THIRD PARTY

Means any individual or entity

e)     EMPLOYEE

Means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of EHS or any of its affiliates or subsidiaries, who is also a resident of a country within the European Economic Area or United States.

f)       PERSONAL DATA

As defined under the EU General Data Protection Regulation, means data that personally identifies or may be used to personally identify a person, including an individual’s name in combination with country of birth, marital status, emergency contact, address, phone number, e-mail address, user ID, password, and identification numbers. Personal Data does not include data that is de-identified, anonymous, or publicly available. For Switzerland, the term “person” includes both a natural person and a legal entity, regardless of the form of the legal entity.

g)      PERSONAL HEALTH INFORMATION (PHI), INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (IIHI) – HIPAA (US)

Any information about an individual including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or genetic/biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

h)     DATA SUBJECT

Means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics. For Individual Customers residing in Switzerland, a Data Subject also may include a legal entity.

i)       DATA CONTROLLER (EU)

Means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. CRF Health acts as the data controller for EHS Personal Data and sensitive personal information that is not captured as part of supporting a clinical trial under the direction of a customer. CRF Health acts as the data controller for EHS’s Personal Data and sensitive personal information when it processes (or has a third-party process on its behalf) the Personal Data of its employees and customers.

j)       DATA PROCESSOR (EU)

Means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. EHS acts as the data processor for any personal and sensitive personal information captured as part of trial conduct, under the direction of the customer (Sponsor) in their capacity as DATA CONTROLLER.

k)      BUSINESS ASSOCIATE, AGENT – HIPAA (US)

A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. EHS acts as the business associate for any personal and sensitive personal information captured as part of trial conduct, under the direction of the customer in their capacity as a covered entity.

l)       SENSITIVE PERSONAL INFORMATION

EHS will treat  sensitive personal information as any information received from a third party where that third party treats and identifies the information as sensitive.

m)    INDIVIDUAL CUSTOMER

Means an individual customer or client of EHS from EU or Switzerland. The term also shall include any individual agent, representative, of an individual customer of EHS and all employees of EHS where EHS has obtained his or her Personal Data from such Individual Customer as part of its business relationship with EHS.

n)     PSEUDONYMISATION

Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

3. Compliance with Legal Obligations

Unless otherwise prohibited in this Privacy Policy, EHS may process Personal Data and sensitive personal information (a) to the extent required to respond to a contractual, legal or ethical obligation; and (b) to the extent expressly permitted by an applicable law, rule or regulation.

4. Types of Information Collected

EHS may collect Personal Data from sponsors, site personnel, employees, distributors, customers and end users, and pseudonymous sensitive personal information through clinical trials, reports or complaints, and general business activities. EHS takes appropriate action where unsolicited confidential data is received to prevent / minimize the risk of recurrence.

This includes all other identifiable and Personal Data other than clinical data. This includes (but may not be limited to) first name, last name, physical address, email address and telephone number of end user or investigator site staff, complainant information, visitors to the EHS website and employees, customers and suppliers.

5. Modes of Personal Data Capture/Storage

EHS captures Personal Data via different routes. The term “capture” shall be taken to encompass both solicited and unsolicited receipt of Personal Data.

5.1. Web-based

EHS sees the Internet and the use of other technologies as necessary tools for communicating and interacting with consumers, customers, employees, healthcare professionals, business partners, and others.

EHS recognizes the importance of maintaining the privacy of Personal Data collected online; EHS’s Internet Privacy Policy governs the treatment of Personal Data collected through web sites that EHS operates. The associated Internet Privacy Policy also reflects additional legal requirements and evolving standards with respect to Internet privacy. EHS’s Internet Privacy Policy can be found at https://entrahealth.com/footer/privacy/

The EHS website allows interested parties to request information and demonstrations of company services. The EHS MyHealthPoint Web Portal allows users to view content pertinent to the clinical trial through a secured website, should one be employed for a trial.

All employees are individually responsible for all electronic mail sent from their account and for the appropriate handling of personal data received into their account. Care should always be taken to evaluate whether e-mail is the most appropriate method for dissemination of Personal Data. Further detail is provided in the relevant security procedures and company handbook in relation to use of e-mail.

5.2. Telephone

Where communication of information is by telephone, care will always be taken to evaluate whether this is the most appropriate method for discussion and / or dissemination of Personal Data.

5.3. Paper-based Information

Paper-based information that is current and required for ongoing study and/or general business activities are maintained, wherever possible, in locked cupboards or otherwise restricted areas; however, the EHS standard is to maintain records in electronic form. Paper is considered to be the backup to the electronic record. When paper information ceases to be required, it is destroyed confidentially, by shredding. Wherever appropriate and possible, printers that are not general access printers will be used to print such information

6. Receipt of unsolicited Personal Data and/or Sensitive Personal Information

The possibility of receipt of unsolicited Personal Data is acknowledged by EHS. Receiving, storing or further disseminating or otherwise processing such Personal Data may be incompatible with EHS’s commitment to the principles of transparency and purpose limitation, since the individual (data subject) may not be aware of the dissemination of that Personal Data to EHS. It is EHS policy, on receipt of such Personal Data to take all necessary actions to halt further processing or dissemination of that Personal Data and to prevent the risk of recurrence of same.

The individual receiving such Personal Data will, on receipt (and without further sharing the Personal Data, including to Quality Management) notify Quality Management or other designated Privacy Official and raise a corrective action (taking care not to capture any of the Personal Data in the corrective action) that Personal Data has been received, providing relevant information regarding the supplier of the Personal Data, circumstances of receipt and project (if applicable). At the same time, the Personal Data in question will be destroyed and the supplier notified that they have made an errant transfer of Personal Data.If the transmission contained other, non-identifiable data that is required by EHS, the supplier should be requested to re-supply without the personal identifiers. EHS Quality Assurance will monitor for any trends in unsolicited data to permit escalations as appropriate for repeated occurrences.

7. Access to Personal and Sensitive Personal Information

Access to information and systems is restricted to appropriate staff. For data held on the EHS network or servers, this is managed via R&D department.

In accordance with national and international laws, data subjects (individuals or groups to whom the Personal Data pertains) have the right of access to Personal Data EHS holds on them to ensure that it is accurate and up-to-date, to have the ability to request its correction/modification or to request deletion of all or part of that information if it is inaccurate or no longer necessary for the purposes for which EHS has collected the Personal Data.

8. Retention and Archiving of Information

EHS does not keep Personal Data any longer than necessary to meet the business purpose for which it was collected, unless legal or regulatory reasons require that the information not be deleted.

Where it is required that information is not deleted, EHS will retain that information for the minimum period required by law or regulation.

In the case of clinical data, on transfer of ownership of information back to a Sponsor or Investigator, it shall be deemed that the new owner becomes responsible for assuring the confidentiality and security of the information.

9. Training and Awareness

Training on HIPAA, which includes privacy and data protection, is mandatory for employees of EHS. In addition, all employees, regardless of contract type (permanent, temporary, etc.) have access to this Privacy Policy.

10. Clinical Trial Subject Data Obligations

Where trial subject data is processed by EHS this will be processed in line with this Privacy Policy, although the responsibility for ensuring that the trial subject is duly consented to processing of their data in accordance with applicable regulation lies solely with the Sponsor and Investigator site in obtaining that informed consent using the Ethics / IRB approved consent documents.

11. HIPAA Privacy Policy

Personal Health Information collected within the US is pseudo-anonymised by patient ID. Some additional HIPAA personal information is collected for patient SMS reminders but this information is obfuscated within the computer systems viewable by only the patients and their authorized investigators.  All US data will be managed the same as EU data as all data is stored (processed) within the EU and becomes subject to EU legislation.

12. GDPR Model Clauses

The European Commission is empowered to recognize standard contractual clauses (known as model contract clauses) as offering adequate safeguards for the purposes of Article 46 of the GDPR. The European Commission has approved model contract clauses (EU Decision 2002/16/EC) that can be used by data exporters and data importers to transfer data outside the EEA. Where processing Personal Data is involved EHS utilizes the appropriate model contract clauses (controller to controller and controller to processor) between its affiliates and with its customers and vendors to provide adequate safeguards for the processing of Personal Data.

EHS policy is to follow the higher standard where applicable.

12.1. Data Transfer Mechanism

EHS only has an office in the United States. Personnel of EHS are trained on the importance of personal data protection and are have the ability to read and understand this Privacy Policy.

12.2. Model Clauses GDPR Principles

12.2.1. Data Controller

Where EHS is a data controller with respect to Personal Data from individuals in the EEA, it will inform them about the purposes for which it collects and uses this information about them, the types of non-agent third parties to which EHS discloses that Personal Data, whether it intends to transfer Personal Data to a third country and the choices and means, if any, EHS offers individuals for limiting the use and disclosure of their Personal Data.

Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to EHS, or as soon as practicable thereafter, and in any event before EHS uses or discloses the information for a purpose other than that for which it was originally collected.

Where EHS receives Personal Data from its subsidiaries, affiliates or other entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such Personal Data relates.

12.2.2. Purpose Limitation

EHS process’ Personal Data and subsequently use Personal Data only for specified purposes or as subsequently authorized by the data subject.

12.2.3. Data Quality and Proportionality

EHS ensures that Personal Data is accurate and, where necessary, kept up to date. The Personal Data must be adequate, relevant and not excessive in relation to the purposes for which they are processed.

12.2.4. Transparency

EHS will provide data subjects with information designed to ensure fair processing, such as information about the purpose of processing and data transfer.

12.2.5. Rights of Access, Rectification, Deletion and Objection

EHS take reasonable precautions designed to ensure that Personal Data processed by EHS is accurate and, where necessary, kept up to date. EHS will take every reasonable step to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without unreasonable delay. EHS will provide data subjects with personal information about them that EHS holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law.

12.2.6. Security and Confidentiality

EHS will take reasonable precautions to process Personal Data in a way designed to ensure appropriate protection of personal and/or sensitive information in its possession, including protection from accidental loss, misuse and unauthorized access, disclosure, alteration and destruction.

This will be achieved via appropriate physical and logical security mechanisms.

Computer systems, equipment, networks, programs, data, and documentation are secured to the extent reasonably possible using existing technology.

Where Personal Data is to be transferred on physical media, the media will be kept away from any means of reading that information and appropriate password protection, encryption, or other means used to minimize the risk of unauthorized access to that information.

Further details of security mechanisms for transfer of Personal Data electronically and transport by employees of Personal Data is addressed in the applicable security QMS documents.

12.2.7. Enforcement

EHS will conduct compliance audits of its relevant privacy practices to verify EHS’s adherence to this Privacy Policy as well as continued suitability of this Privacy Policy and related procedures for assurance of compliance with applicable privacy and data protection legislation. Should gaps or areas for improvement be identified, these will be addressed in accordance with the relevant procedures.

Where there is determined to be willful violation of this Privacy Policy by an employee, that employee shall be subject to disciplinary action up to and including termination of employment. Any unsolicited reports or other serendipitous evidence of potential failures of compliance with this Privacy Policy will be appropriately investigated with actions as commensurate with the result of that investigation implemented.

12.2.8. Dispute Resolution

Any questions or concerns regarding the use or disclosure of Personal Data should be directed to the Security & Data Protection Officer. EHS will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the principles contained in this Privacy Policy. For complaints that cannot be resolved between EHS and the complainant, EHS will refer to the dispute to the appropriate dispute resolution mechanism specified by the model contract clauses to which the dispute relates.

13. Privacy Shield Policy

Entra Health Systems LLC d.b.a Entra Health or EHS has adopted this Privacy Shield Policy (“Policy”) to establish and maintain an adequate level of Personal Data privacy protection. This Policy applies to the processing of Personal Data that EHS obtains from Customers located in the European Union and Switzerland.

EHS complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

The Federal Trade Commission (FTC) has jurisdiction over EHS compliance with the Privacy Shield.

All EHS employees who handle Personal Data from Europe and Switzerland are required to comply with the Principles stated in this Policy.

13.1. SCOPE

This Policy applies to the processing of Individual Customer Personal Data that EHS receives in the United States concerning Individual Customers who reside in the European Union and Switzerland.

13.2. RESPONSIBILITIES AND MANAGEMENT

EHS VP Quality Assurance and Regulatory Affairs (VP RAQA) or Management designee will oversee its information security program, including its compliance with the EU-US Privacy Shield and Swiss-US Privacy Shield Programs. The VP RAQA shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Policy also may be directed to regulatory@entrahealth.com

EHS will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects.

13.3. RENEWAL / VERIFICATION

EHS, under CRF Inc., will renew its EU-US Privacy Shield and Swiss-US Privacy Shield certifications annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.

Prior to the re-certification, EHS will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of Individual Customer Personal Data are accurate and that the company has appropriately implemented these practices. SpecificallyAs part of the verification process, EHS will undertake the following:

a)      Review this Policy and its publicly posted website privacy policy to ensure that these policies accurately describe the practices regarding the collection of Individual Customer Personal Data.

b)     Ensure that the publicly posted website privacy policy informs Individual Customers of EHS participation in the EU-US Privacy Shield and Swiss-US Privacy Shield programs and where to obtain a copy of additional information (e.g., a copy of this Policy)

c)      Ensure that this Policy continues to comply with the Privacy Shield principles.

d)     Confirm that Individual Customers are made aware of the process for addressing complaints and any independent dispute resolution process (EHS may do so through its publicly posted website, Individual Customer contract, or both).

COLLECTION AND USE OF PERSONAL DATA

EHS may collect Personal Data from sponsors, site personnel, employees, distributors, customers and end users, and sensitive personal information through clinical trials, reports or complaints, and general business activities.. EHS takes appropriate action where unsolicited confidential data is received to prevent / minimize the risk of recurrence. See Sections 3 and 4 of this Policy for further details.

13.4. DISCLOSURES / ONWARD TRANSFERS OF PERSONAL DATA

Except as otherwise provided herein, EHS discloses Personal Data only to Third Parties who reasonably need to know such data only for the scope of the initial transaction and not for other purposes. Such recipients must agree to abide by confidentiality obligations.

EHS may provide Personal Data to Third Parties that act as agents, consultants, and contractors to perform tasks on behalf of and under our instructions. For example, EHS may store such Personal Data in the facilities operated by Third Parties. Such Third Parties must agree to use such Personal Data only for the purposes for which they have been engaged by EHS and they must agree, via written contract, to provide adequate protections for the Personal Data that are no less protective than those set out in this Policy.

EHS also may disclose Personal Data for other purposes or to other Third Parties when a Data Subject has consented to or requested such disclosure. Please be aware that EHS may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. EHS is liable for appropriate onward transfers of Personal Data to third parties.

13.5. DATA INTEGRITY AND SECURITY

EHS uses reasonable efforts to maintain the accuracy and integrity of Personal Data and to update it as appropriate. EHS has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. For example, electronically stored Personal Data is stored on a secure network with firewall protection, and access to EHS electronic information systems requires user authentication via password and appropriate role, or similar means. EHS also employs access restrictions, limiting the scope of employees who have access to Individual Customer Personal Data.

Further, EHS uses secure encryption technology to protect certain categories of Personal Data. Despite these precautions, no data security safeguards guarantee 100% security all of the time.

13.6. NOTIFICATION

EHS notifies Individual Customers about its adherence to the EU-US Privacy Shield and Swiss-US Privacy Shield principles through its publicly posted website privacy policy, available at: https://entrahealth.com/footer/privacy/ and take Individual customers approval and adherence to the current policy when they provide their information to us in the transactional process.

13.7. ACCESSING PERSONAL DATA

EHS personnel may access and use Personal Data only if they are authorized to do so and only for the purpose for which they are authorized.

13.8. RIGHT TO ACCESS, CHANGE OR DELETE PERSONAL DATA

13.8.1. Right to Access

Individual Customers have the right to know what Personal Data about them is included in the databases and to ensure that such Personal Data is accurate and relevant for the purposes for which EHS collected it. Upon reasonable request and as required by the Privacy Shield principles, EHS allows Individual Customers access to their Personal Data by contacting EHS by phone or email. To request erasure of Personal Data, Individual Customers should submit a written request to the EHS office in El Cajon, CA USA.

13.8.2. Requests for Personal Data.

EHS will track each of the following and will provide notice to the appropriate parties under law and contract when either of the following circumstances arise: (a) legally binding request for disclosure of the Personal Data by a law enforcement authority unless prohibited by law or regulation; or (b) requests received from the Data Subject. If EHS receives a request for access to his/her Personal Data from an Individual Customer, then, unless otherwise required under law or by contract with such Individual Customer, EHS will refer such Data Subject to the Individual Customer.

13.8.3. Satisfying Requests for Access, Modifications, and Corrections.

EHS will endeavor to respond in a timely manner to all reasonable written requests to view, modify, or inactivate Personal Data.

13.9. ENFORCEMENT AND DISPUTE RESOLUTION

In compliance with the EU-US Privacy Shield and Swiss-US Privacy Shield Principles, EHS commits to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding this Policy should first contact EHS at: regulatory@entrahealth.com

If a Customer’s question or concern cannot be satisfied through this process, EHS has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.

If your complaint is not satisfactorily addressed, and your inquiry or complaint involves human resource data, you may have your complaint considered by an independent recourse mechanism: for EU/EEA Data Subjects, a panel established by the EU data protection authorities (“DPA Panel”), and for Swiss Data Subjects, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”). To do so, you should contact the state or national data protection or labor authority in the jurisdiction where you work. CRF Health agrees to cooperate with the relevant national DPAs and to comply with the decisions of the DPA Panel and the FDPIC.

Should your complaint remain fully or partially unresolved after a review by EHS, BBB EU Privacy Shield and the relevant DPA, you may be able to, under certain conditions, seek arbitration before the Privacy Shield Panel. For more information, please visit www.privacyshield.gov.

14. CHANGES TO THIS PRIVACY POLICY

This Privacy Policy may be amended from time to time, consistent with the HIPAA, EU, & Privacy Shield Principles and applicable data protection and privacy laws and principles. We will make employees available of changes to this Privacy Policy either by posting to our website (www.entrahealth.com), through email, or other means. We will notify Customers if we make changes that materially affect the way we handle Personal Data previously collected, and we will allow them to choose whether their Personal Data may be used in any materially different manner.

15. QUESTIONS OR COMPLAINTS

If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Privacy & Security Officer at regulatory@entrahealth.com or by mail at:

Entra Health Systems LLC
Attention:
Privacy & Security Officer
1300 North Johnson Avenue, Suite 100 El Cajon, CA 92020

Internet Privacy Policy & Cookie Policy

1.     Purpose

This document describes how Entra Health Systems (EHS) handles personal information gathered during user sessions on the company’s public internet site.  It is written in the context of someone who would be reading the company’s website.  Items under sections (2) and (5) require inputs and controls by Entra Health Systems staff.  This policy will be posted on our company website.  This policy is associated with the Entra Health Systems Privacy Policy which pertains to data collected via the companies online web data collection software. Entra Health Systems’ main Privacy Policy can be found here: https://entrahealth.com/footer/privacy/

2.     EHS’S ONLINE PRIVACY COMMITMENT TO YOU

Entra Health Systems and its subsidiaries (collectively, “Entra Health” or “EHS”) may offer online newsletters and mailings of information about our organization. This is designed to provide product-related information and services, as well as corporate and financial news and employment information (the “Services”). Respect for the privacy of personal information about you is very important to EHS. EHS is committed to adhering to this Privacy Policy, as well as applicable laws, rules and regulations. This Privacy Policy applies to Personal Information (as defined below) collected by EHS’s online resources located under the domain name http://www.entrahealth.com and www.myhealthpoint.com, including all related pages and subdomains (the “Web Site”). This Privacy Policy does not apply to personal information collected from offline resources and communications. This Privacy Policy also does not apply to third-party online resources to which this Web Site may link, frame or otherwise reference. Please read this Privacy Policy carefully. Should you have any questions about this Privacy Policy or EHS’s data collection, use and disclosure practices, register a complaint or simply want more information, please contact our Privacy & Security Officer at regulatory@entrahealth.com or by mail at: Entra Health Systems LLC Attention: Privacy & Security Officer 1300 North Johnson Avenue, Suite 100 El Cajon, CA 92020

  • How does this Privacy Policy define “Personal Information”?

The term “Personal Information” as used throughout this Privacy Policy, applies to any information or set of information that is collected by EHS through its Web Site that can identify you (if provided by you) or another identifiable individual, such as your name, address, phone number, e-mail address, company name and position. We may need to collect and process these types of Personal Information in order to provide the requested Services to you, or because we are legally required to do so. If you do not provide the information that we request, we may not be able to provide you with the requested Services.

  • Why does EHS collect and use Personal Information?

Collection We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your Personal Information by filling in forms or by corresponding with us by post, phone, and email or otherwise. This includes Personal Information you provide when you:
  • request for our products or services;
  • request marketing or surveys to be sent to you;
  • give us some feedback; or
  • use our websites (https://entrahealth.com or www.myhealthpoint.com)
  • Automated technologies or interactions. As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. This information does not reveal your specific identity. We collect this Personal Information by using server logs and other similar technologies.
  • Third parties or publicly available sources. We may receive Personal Information about you from various third parties.
  • Identity data from data brokers or aggregators.
  • Public sources. We may identity data from publicly availably sources.

EHS collects Personal Information when you visit the Web Site, and when you submit data to us through the Services or via any of our online forms. We may also receive your Personal Information from other sources, such as public databases, joint marketing partners, and from other third parties. When you visit the Web Site, EHS also collects your Internet Protocol (“IP”) addresses to track and aggregate non-Personal Information. For example, EHS uses IP addresses to monitor the regions from which you navigate the Web Site and successful and failed log-in attempts as well as usage statistics for all functional components. Use We will only use your Personal Information when the law allows us to and we will not sell, trade or otherwise deal with your Personal Information in any way that contravenes this Privacy Policy (as may be updated from time to time). We have set out below a description of the ways we plan to use your Personal Information, and on which legal basis we do so. Where we rely on our legitimate interests as a legal basis for processing, we have identified the nature of those legitimate interests.

Purpose / activity Type of Personal Information Basis for use and processing
Providing our services and managing our relationship with you: –   to provide services or goods to you; –   to respond to your enquiries and fulfill your requests, when you contact us for example, when you send us questions, suggestions, or feedback, or when you request a quote, or other information about, our services. –   Name –   Address –   Email address –   Telephone / mobile number(s) –   Professional title   Necessary for our legitimate interests (for providing our services, running our business, and for  administrative purposes)
Contacting suppliers – Name – Email addresses – Telephone / mobile numbers – Job title / position of responsibility –   Social media profile(s) Necessary for our legitimate interests (for providing our services, running our business, and  administrative purposes)
In connection with the sale, assignment, or other transfer of the business to a third party –   Name –   Address –   Email address – Telephone / mobile number(s) Necessary for our legitimate interests (maintaining revenue, dealing with potential purchasers)

We may also collect, use and share aggregated data such as statistical or demographic data for any purpose. Such may be derived from your Personal Information but is not considered Personal Information in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your Personal Information so that it can directly or indirectly identify you, we treat the combined data as Personal Information which will be used in accordance with this Privacy Policy. Except as set forth above, we will not otherwise use or disclose any of your Personal Information, except to the extent reasonably necessary: (i) to correct technical problems and malfunctions; (ii) to protect the security and integrity of our Web Site; (iii) to protect our rights and property and the rights and property of others; (iv) to take precautions against liability; (v) to the extent required by law or to respond to judicial process; or (vi) to the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety, as applicable.

  • Who will have access to Personal Information about me?

Personal Information about you will be accessible to EHS, including its subsidiaries, and affiliates worldwide. EHS may also share such Personal Information with its agents, contractors, service providers or business partners, in connection with services that these individuals or entities perform for, or with, EHS. We require all third parties to respect the security of your Personal Information and to treat it in accordance with the law. In such circumstances, we do not allow our third-party service providers to use your Personal Information for their own purposes and only permit them to process your Personal Information for specified purposes and in accordance with our instructions.

  • How does EHS secure your Personal Information?

We use appropriate security measures to protect against the loss, misuse and alteration of data used by our system. It is your personal responsibility to secure your own copies of your passwords and related access codes for our online resources. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with Section (13) below.

  • How can you stop receiving e-mails or other marketing information from EHS?

If you wish to stop receiving emails or other marketing information from us please email support@entrahealth.com.

  • How may I access and correct Personal Information about me?

To gain access to your Personal Information, which EHS has collected online, and to keep it accurate, complete and current, you may contact us at support@entrahealth.com In your request, please make clear what Personal Information you would like to have changed, whether you would like to have your Personal Information suppressed from our database or otherwise let us know what limitations you would like to put on our use of your Personal Information. For your protection, we may only implement requests with respect to the Personal Information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable. There may also be residual information that will remain within our databases and other records, which will not be removed. Where permitted by law, your ability to access and correct Personal Information will be limited where access and correction would: (i) inhibit EHS’s ability to comply with a legal or ethical obligation; (ii) inhibit EHS’s ability to investigate, make or defend legal claims, result in disclosure of Personal Information about a third party; or (iii) result in breach of a contract or disclosure of trade secrets or other proprietary business information belonging to EHS or a third party.

  • Sensitive Personal Information

While we operate in the healthcare industry, which can involve sensitive Personal Information, we ask that you not send us, and you not disclose, any sensitive Personal Information (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the Services or otherwise to us.

  • Other information

In addition, we receive and store certain types of information that do not reveal your specific identity or does not directly relate to an identifiable individual (“Other Information”) whenever you interact with us via our Web Site, including what pages you visit and activities you perform on our Web Site. EHS automatically receives and records certain “traffic data” including third party cookie information, and the page you request; for more information on our cookie policy see Section (9) below. If we are required to treat Other Information as Personal Information under applicable law, then we may use and disclose it for the purposes for which we use and disclose Personal Information as detailed in this Policy. EHS uses Other Information to help diagnose problems with its server, analyze trends and administer the Web Site. We may also use Other Information we collect on or through the Web Site to better understand and market to our customers or website users, individually or in the aggregate.

  • Cookie Policy

EHS uses cookies, tracking pixels and related technologies. Cookies are small data files that are served by our platform and stored on your device. Our site uses cookies dropped by us or third parties for a variety of purposes including to operate and personalize the website. Also, cookies may also be used to track how you use the site to target ads to you on other websites. A “session cookie” expires immediately when you end your session (i.e., close your browser). A “persistent cookie” stores information on the hard drive so when you end your session and return to the same website at a later date, the cookie information is still available. A web beacon is a small string of code that represents a clear graphic image, a redirect URL or JavaScript and is used in conjunction with a Cookie.   A tracking pixel lets us know which part of the webpage was visited. All personal data provided by you and collected by the MyHealthPoint portal is never stored in a persistent cookie.  Session cookies, however, are used to provide a good experience, but are deleted at the end of each session.  Any provided personal data as discussed above is  only maintained within the MyHealthPoint portal database maintained on a secure server. Disabling Cookies You can prevent the setting of cookies by adjusting the settings on your browser (see your browser “Help” section for how to do this). Be aware that disabling cookies will affect the availability of features on this Web Site, as well as the functionality of this Web Site and many other websites that you visit. The Cookies We Set When you visit our Web Site, we may use both session and persistent cookies. This cookie may contain information (such as a unique user ID) that is used to track your usage of our Web Site, and may be used to send you ads or offers when you browse our Web Site or other websites. EHS employs cookies to enable our systems to recognize your browser and tell us how and when pages in our Web Site are visited and by how many people, and also in order for our server to recognize a return visitor as a unique user. All personal data provided by you and collected by the MyHealthPoint portal is never stored in a persistent cookie.  Session cookies, however, are used to provide a good experience, but are deleted at the end of each session.  Any provided personal data as discussed above is  only maintained within the MyHealthPoint portal database maintained on a secure server. EHS uses web beacons alone or in conjunction with cookies to compile information about your usage of the Web Site and interaction with emails from EHS. For example, EHS may place web beacons in marketing emails that notify EHS when you click on a link in the email that directs you to the Web Site. EHS uses web beacons to operate and improve the Web Site and email communications and to send more customized or relevant emails, advertisements and offers to users.

  • Retention Period

We will retain your Personal Information for as long as needed or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with you and provide the Services to you; (ii) whether there is a legal obligation to which we are subject; or (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

  • Jurisdiction and cross border transfers

Your Personal Information may be stored and processed in any country where we have facilities or in which we engage service providers, and by using the Services you consent to the transfer of information to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Information. If you are located in the European Economic Area (EEA): Some of the non-EEA countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards (the full list of these countries is available here). For transfers from the EEA to countries not considered adequate by the European Commission, we have put in place adequate measures, such as standard contractual clauses adopted by the European Commission to protect your Personal Information.

  • How does EHS protect the privacy of children?

Children under the age of 18 should only access our site only when initiated by an adult parent or guardian. Entra Health Systems will not knowingly collect or use any personal information from individuals under the age of eighteen without the consent of a parent or guardian, or provide any personally identifying information collected from children, regardless of its source, to any third party for any purpose. If a visitor submits information to the web site through the registration process that indicates the visitor is a child, the child’s parent or guardian email is required and will be alerted to the child’s registration and will be provided instructions on how the parent or guardian can delete the child’s registration, if so desired. Entra Health Systems does not require a child to disclose more information than is reasonably necessary to participate in an activity.

  • Parental Access

A parent can contact our Privacy & Security Officer to access, change or delete the personal information that we have collected from his or her child by sending an email to support@entrahealth.com or regulatory@entrahealth.com. Please include the child’s User name, and the parent’s email address so that we can better assist you with your inquiry or request. Entra Health Systems takes steps to verify the identity of anyone requesting information about a child and to ensure that the person is in fact the child’s parent or legal guardian. We may amend our privacy policy at any time. We will provide parent’s notice by email of any material changes in the collection, use or disclosure practices to which you had previously agreed.

  • What is EHS’s contact address for privacy questions?

Should you have questions about this Privacy Policy or EHS’s data collection, use and disclosure practices, you may contact us via email at regulatory@entrahealth.com. When you contact us, please note the name of the Web Site or other online resource to which you provided the Personal Information, as well as the nature of the Personal Information that you provided. We will use reasonable efforts to respond promptly to requests, questions or concerns you may have regarding our use of Personal Information about you. Except where required by law, EHS cannot ensure a response to questions or comments regarding topics unrelated to this Privacy Policy or EHS’s privacy practices. If you are located in the European Economic Area, you also may:

  • contact our Privacy & Security officer at regulatory@entrahealth.com
  • lodge a complaint with a supervisory authority competent for your country or region.
  • How will I know when EHS has updated this Privacy Policy?

EHS may update this Privacy Policy periodically and EHS reserves the right to modify, add or remove portions of this Privacy Policy at its discretion. If we decide to change this Privacy Policy, we will post those changes at this Web Site.

  • No representations / No liability

EHS makes no representations about the content of the information found on this Web Site. The information presented on this Web Site is provided to you “AS IS”, WITHOUT ANY WARRANTY OR CONDITION, IMPLIED OR EXPRESSED, INCLUDING BY WAY OF EXAMPLE BUT WITHOUT LIMITATION, ANY WARRANTY OR CONDITION OF SATISFACTORY QUALITY, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR OTHERWISE. Under no circumstances shall EHS assume liability for the use or interpretation by you of information found on this Web Site. EHS expressly disclaims liability for any direct, indirect, incidental, consequential or special damages arising out of your visit to the Web Site and/or the information contained on this Web Site. This Privacy Policy does not address, and we are not responsible for, the privacy, information or other practices of any third parties, including any third party operating any website or service to which the Services link.  The inclusion of a link on the Services does not imply endorsement of the linked site or service by us or by our affiliates. In addition, we are not responsible for the information collection, use, disclosure or security policies or practices of other organizations, such as Facebook, Apple, Google, Microsoft, RIM or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider or device manufacturer, including with respect to any Personal Information you disclose to other organizations through or in connection with our Web Site. QUESTIONS AND CONTACT INFORMATION If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Privacy & Security Officer at regulatory@entrahealth.com or by mail at: Entra Health Systems LLC Attention: Privacy & Security Officer 1300 North Johnson Avenue, Suite 100 El Cajon, CA 92020