Change Healthcare EU-U.S. and Swiss-U.S. Privacy Shield Certification Notice

Effective: January 1, 2020

Change Healthcare ("Change Healthcare") is committed to maintaining the privacy and security of Personal Data. Change Healthcare’s Privacy Shield certification covers the processing of Customer Personal Data, of Human Resources Personal Data, and of Marketing Personal Data (collectively “Covered Data”). This Change Healthcare Privacy Shield Certification Notice (the "Certification Notice") establishes the principles that govern the processing of Covered Data received from the European Union (EU), Switzerland and the United Kingdom. Change Healthcare, in some instances, may also process Covered Data via other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.

Privacy Principles

Change Healthcare adheres to the Privacy Shield Framework as agreed between the US and the EU, and publicly certifies that it complies with the Privacy Shield Principles (the “Principles”), including all applicable Supplemental Principles, published by the US Department of Commerce for all transfers of Personal Data from the EU, Switzerland and the United Kingdom to the US. If there is any conflict between the terms of this Certification Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/participant?id=a2zt0000000TNwXAAW&status=Active

Notice

Customer Personal Data

As a provider of health care technology solutions, Change Healthcare may view, hold and process, as a Data Processor, Customer Personal Data about Data Subjects for the provision, implementation, service and support of health care technology solutions to health care institutions, professionals and companies. This may include the processing of Sensitive Personal Data provided by Customers about their patients to Change Healthcare for the purposes of fulfilling Change Healthcare’s contractual obligations to its Customers.

Change Healthcare’s Customers, as Data Controllers, are responsible for ensuring that Customer Personal Data is processed in accordance with the rights and requirements of the Data Subjects concerned under European data protection law. This includes notifying Data Subjects of the purposes for which Personal Data is collected and used and the types of third parties to which it may be disclosed.

HR Personal Data

Change Healthcare acts as a Data Controller when it processes HR Personal Data about its Workers pursuant to contractual obligations, to meet legal obligations and where necessary for our legitimate interests. Change Healthcare informs Workers about the purposes for which it collects and uses HR Personal Data about them, the types of third parties to which Change Healthcare may disclose HR Personal Data, and the choices and means that Change Healthcare offers Workers for limiting the use and disclosure of HR Personal Data. Notice is provided in clear and conspicuous language when Workers are first asked to provide HR Personal Data to Change Healthcare, or as soon as practicable thereafter, but in any event, before HR Personal Data is used for a purpose materially different from the purpose(s) for which it was originally collected, processed or disclosed, or before it is disclosed to a third party.

Marketing Personal Data

As set forth in our Global Marketing Website Privacy Notice, found at www.ChangeHealthcare.com, Change Healthcare receives Marketing Personal Data such as account creation data, usage information and cookie information from persons who visit the Change Healthcare marketing website. Change Healthcare may also receive Marketing Personal Data from Vendors, including advertisers and publishers, regarding persons located in the EU, Switzerland and the United Kingdom. Details about how Change Healthcare collects, uses, and shares personal data in association with the operation of the marketing website and all other websites that link to or reference the Global Marketing Website Privacy Notice, and information describing your rights and choices, and how you can contact Change Healthcare about our privacy practices, can be found in the Global Marketing Website Privacy Notice.

Choice

Most Covered Data that Change Healthcare processes relies on a legal basis other than individual consent. To the extent individual consent is appropriate, as determined by local law, Change Healthcare provides an opportunity for Data Subject(s) to opt-in or opt-out, as applicable, depending on the circumstances.

For Sensitive Personal Data, Change Healthcare will obtain affirmative express consent (unless otherwise permitted or required by contract or law) from Data Subjects (through an "opt-in" choice) if such Data is to be (1) disclosed to a third party controller or (2) used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt-in choice. Depending on the specific Change Healthcare legal entity involved, this Principle may be performed by Change Healthcare, a related Change Healthcare corporate entity, or by McKesson Corporation pursuant to the terms of a Transition Services Agreement.

Accountability for Onward Transfer

Change Healthcare may share Covered Data with third parties to assist Change Healthcare in providing services to Customers and Workers. The third parties include those that provide the following types of services: data storage, customer support, technical/software support, information security services, investigative/legal services, employee surveys, talent management, learning management and human resources management (which may include pay, benefits, benchmarking, relocation, talent acquisition, etc.).

Change Healthcare obtains written agreements from third parties to whom it transfers Covered Data requiring them to provide at least the same level of privacy protection as is required by the Principles and to notify Change Healthcare if it is unable to meet this obligation. If Change Healthcare receives notice or otherwise becomes aware that a third party is using or disclosing Covered Data in a manner contrary to this Policy or the Principles, Change Healthcare will take reasonable and appropriate steps to stop and remediate any unauthorized processing. Change Healthcare remains responsible and liable under the Principles if third-party agents that Change Healthcare engages to process the Personal Data on its behalf do so in a manner inconsistent with the Principles.

Required Disclosures

Change Healthcare may be required to disclose Covered Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

Security

Change Healthcare takes reasonable and appropriate measures to protect Covered Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, considering the risks involved in the processing and the nature of the Covered Data.

Data Integrity and Purpose Limitation

Customer Personal Data

Change Healthcare processes Customer Personal Data only in a way that is compatible with and relevant to the purpose for which it was collected or subsequently authorized by Change Healthcare’s Customers or Data Subjects. To the extent necessary for those purposes, Change Healthcare takes reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. Change Healthcare will adhere to this Principle for as long as it retains such Data.

HR Personal Data

Change Healthcare limits the use of HR Personal Data to ways that are compatible and relevant for the purposes for which the HR Personal Data was collected and for which notice was provided or for which consent was obtained. Change Healthcare will take reasonable steps to ensure that HR Personal Data is reliable for its intended use, accurate, complete and current. Data will be retained in a form identifying or making identifiable the Data Subject for as long as it serves a compatible and relevant processing purpose and in accordance with applicable law.

Marketing Personal Data

Please refer to Change Healthcare’s Global Marketing Website Privacy Notice for a description of how Change Healthcare collects, uses, and shares Marketing Personal Data.

Access

Subject to certain legal limitations, Data Subjects have the right to access the Covered Data that Change Healthcare maintains as a Data Controller. A Data Subject who seeks access, or who seeks to correct, amend, or delete inaccurate data held by Change Healthcare as a Data Controller should direct that request to the contact  listed below or directly through the link titled “Submit A Data Subject Request” provided on the footer of the www.ChangeHealthcare.com website. Change Healthcare will respond to the request within a reasonable timeframe.

As a Data Processor to Change Healthcare’s Customers, Change Healthcare supports any access request addressed to a Change Healthcare Customer. Please be advised that because Change Healthcare has a limited ability to identify and access a Data Subject’s personal data that is held as Customer Personal Data, if you wish to exercise certain rights upon your Personal Data, we may first refer your request to the Customer who submitted your Personal Data, and we will support them as needed in responding to your request.

Upon request, Change Healthcare grants Workers with reasonable access to HR Personal Data that it holds about them in an understandable format. Change Healthcare will take reasonable steps to allow those Workers to verify the accuracy of their HR Personal Data and, if requested, to correct, amend, or delete HR Personal Data to the extent that such HR Personal Data is retained by Change Healthcare.

Requirement to Disclose

We may disclose personal data when we have a good faith belief that such action is necessary to: conform to legal requirements or to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements; or to enforce our contractual obligations.

Recourse, Enforcement and Liability

Change Healthcare conducts periodic training for those with access to Covered Data to enhance awareness of the Privacy Shield Principles. Violations of this Certification Notice may be subject to disciplinary action up to and including termination.

Change Healthcare conducts periodic reviews of its privacy practices to verify adherence to this Certification Notice and its Privacy Shield certification to the United States Department of Commerce. Change Healthcare is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Complaints and Dispute Resolution

Customer and Marketing Personal Data

Complaints may be directed to chiefprivacyofficer@ChangeHealthcare.com. Change Healthcare will investigate and attempt to resolve complaints in accordance with the Privacy Shield Principles. For complaints that cannot be resolved by Change Healthcare, Change Healthcare participates in the United States-based dispute resolution procedures of an independent third party, which are available to you at no cost. Please see below for further information.

If you have any complaints regarding Change Healthcare's compliance with the Privacy Shield, you should first contact us at the email address provided above.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

HR Personal Data

EU, Switzerland and United Kingdom Workers may report complaints to their local HR Manager, to chiefprivacyofficer@ChangeHealthcare.com, or to Change Healthcare's Ethics Line at ChangeHealthcareEthicsLine.com.

Change Healthcare will investigate and attempt to resolve complaints in accordance with the Privacy Shield Principles. For complaints that cannot be resolved by Change Healthcare, we also commit to cooperate with competent data protection authorities (DPAs) in the EU, Switzerland and the United Kingdom regarding issues concerning HR Personal Data transferred from a country participating in the Privacy Shield in the context of the employment relationship.

In accordance with the Privacy Shield Framework, a binding arbitration option may also be made available to you in order to address residual complaints not resolved by any other means.

Inquiries

If you have questions regarding this Certification Notice or questions about the Personal Data which Change Healthcare may collect, use or share, you may contact us at chiefprivacyofficer@ChangeHealthcare.com. If you are a Worker in the EU, Switzerland or the United Kingdom and have questions regarding this Certification Notice or questions about the HR Personal Data Change Healthcare collects, uses or shares about you, or would like to access or update that information, you may contact your manager, your local HR manager, your legal or compliance contact or chiefprivacyofficer@ChangeHealthcare.com.

Changes to the Certification Notice

This Certification Notice may be amended from time to time. Change Healthcare will provide appropriate notice about such amendments.

Certification Notice Definitions:

The following definitions apply throughout this Certification Notice:

"Agent" means any third party that accesses Personal Data to perform tasks on behalf of and under the instructions of Change Healthcare.

"Change Healthcare" means Change Healthcare, subsidiaries, affiliates, and business units located in the EU, Switzerland, the United Kingdom and the United States, as applicable.

Customer” means a natural or legal person that has procured or proposes to procure products and/or services from Change Healthcare. This Certification Notice applies only to Customers of Change Healthcare's Enterprise Imaging business unit located in the EU, Switzerland and the United Kingdom.

"Customer Personal Data" means any Personal Data, other than in the human resources context that is (1) is transferred from the EU, Switzerland or the United Kingdom to the United States; and (2) identifies or can be used to identify a Data Subject. This information may be about a Customer's employees and/or patients and may include identifiers such as name, contact information, user access activity data, support records, images, device/location identifier and individual identification numbers.

Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

"Data Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller,

"Human Resource (HR) Personal Data" means any Personal Data, in the Worker context, that (1) is transferred from the EU, Switzerland or the United Kingdom to the United States; and (2) identifies or can be used to identify a Data Subject. This data may include information such as name, contact information, individual identification numbers, titles, dates, languages, family information, work status, user access activity data, internet/email/network activity data, facility security records, device/location identifiers, training records, business transactions, compensation, performance ratings, or eligibility for participation in Change Healthcare's benefits programs.

Marketing Personal Data” means any information relating to an identified or identifiable natural person such as account creation data, usage information and cookie information gathered from Data Subjects who visit the Change Healthcare marketing website at www.ChangeHealthcare.com.

"Personal Data" means any information relating to an identified or identifiable natural person (‘Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Sensitive Personal Data" means Personal Data, including Customer and HR Personal Data, specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life or sexual orientation of the individual, or genetic or biometric data that unique identifies a natural person.

"Vendor" means any natural or legal person that does or proposes to do business with Change Healthcare. Vendors may include service providers, distributors and re-sellers. This excludes an affiliate of Change Healthcare or its workforce, a Customer or its patients, or any other person that acts in the capacity of a Customer or its patients.

Worker” refers to any person who is employed by or performs services directly for a  Change Healthcare entity and from whom HR Personal Data is collected, such as employees, contractors, or temporary workers. It includes individuals who apply for positions with a Change Healthcare entity.