Privacy Shield Privacy Policy

Overview: McKesson Technologies LLC DBA Change Healthcare ("Change Healthcare") is committed to maintaining the privacy and security of Customer Personal Data and Human Resources ("HR") Personal Data (collectively, "Covered Data"). The Change Healthcare Privacy Shield Privacy Policy (the "Policy") establishes the principles that govern the processing of Personal Data received from the European Economic Area (EEA), which includes the European Union (EU) and Switzerland, by the following two Change Healthcare business units located in the United States (U.S.): the Change Healthcare Software & Analytics business unit (formerly known as McKesson Health Solutions (MHS)), and the Change Healthcare Imaging Workflow & Care Solutions business unit (formerly known as McKesson Imaging Workflow Solutions (IWS))

Effective Date: November 17, 2017

Policy Details:

Privacy Principles:

Change Healthcare adheres to the Privacy Shield Framework as agreed to between the U.S. and the EU and between the U.S. and Switzerland, and publicly certifies that it complies with the Privacy Shield Principles, including all applicable Supplemental Principles, published by the U.S. Department of Commerce for all transfers of Personal Data from the EEA and Switzerland to the U.S. Information regarding Change Healthcare’s Privacy Shield certification is available at: https://www.privacyshield.gov/list.

Notice

Customer Personal Data

As a provider of health care technology solutions, Change Healthcare may view, hold and process Personal Data, including, without limitation, names, contact information, dates of birth, user IDs, IP addresses, medical images, etc. about EEA and Swiss Customers and EEA and Swiss Business Partners for the provision, implementation and support of health care information technology or products to health care institutions, professionals and companies in the EEA and Switzerland. This includes the processing of Sensitive Personal Data provided by EEA and Swiss Customers about their patients to Change Healthcare for the purposes of fulfilling Change Healthcare’s contractual obligations to its EEA and Swiss Customers.

EEA and Swiss Customers and EEA and Swiss Business Partners, as Data Controllers, are responsible for ensuring that Personal Data is processed in accordance with the rights and requirements of the individuals concerned under European data protection law. This includes notifying individuals of the purposes for which Personal Data is collected and used and the types of third parties to which it may be disclosed. Where required, Change Healthcare informs the workers of their EEA and Swiss Customers and EEA and Swiss Business Partners about the purposes for which they collect and use Personal Data, the types of third parties to which Change Healthcare may disclose Personal Data and the choices and means that Change Healthcare offers for limiting the use and disclosure of Personal Data. Notice is provided when individuals are asked to provide Personal Data, or as soon thereafter as practicable. At a minimum, notice is provided before Personal Data is used for a purpose that is materially different from the purpose(s) for which it was originally processed, or disclosed to a third party, and an opportunity to opt-out will be provided in accordance with the Choice section described below.

HR Personal Data

Change Healthcare may also process HR Personal Data, including, without limitation, names, contact information, titles, pictures, IP addresses, user IDs, compensation, benefits information, etc. about its EEA and Swiss Workers. Change Healthcare informs EEA and Swiss Workers about the purposes for which it collects and uses HR Personal Data about them, the types of third parties to which Change Healthcare may disclose HR Personal Data, and the choices and means that Change Healthcare offers EEA and Swiss Workers for limiting the use and disclosure of HR Personal Data. Notice is provided in clear and conspicuous language when EEA and Swiss Workers are first asked to provide HR Personal Data to Change Healthcare, or as soon as practicable thereafter, but in any event, before HR Personal Data is used for a purpose materially different from the purpose(s) for which it was originally collected, processed or disclosed, or before it is disclosed to a third party.

Choice

Where required, Change Healthcare provides its EEA and Swiss Workers, and the workers of its EEA and Swiss Customers and EEA and Swiss Business Partners, as applicable, an opportunity to opt-out prior to disclosing Covered Data or using Covered Data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual.

For Sensitive Personal Data, Change Healthcare gives EEA and Swiss Workers the opportunity to affirmatively and explicitly consent (opt-in) prior to the disclosure of Sensitive Personal Data to a third party or to the use of Sensitive Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the EEA or Swiss Worker. Exceptions to consent requirements may apply where the disclosure of Sensitive Personal Data is necessary for Change Healthcare to carry out its employment law obligations or for other reasons as permitted by the Supplemental Principles (under the Privacy Shield program) or applicable law.

Accountability for Onward Transfer

Change Healthcare may share Covered Data with third parties to assist it in providing services to EEA and Swiss Workers or EEA and Swiss Customers. The third parties include those that provide the following types of services: data storage, customer support, employee surveys, talent management, learning management, information security services, investigative/legal services, technical/software support, and human resources management (which may include pay, benefits, relocation, talent acquisition, etc.).

Change Healthcare obtains written agreements from third parties to whom it transfers Covered Data requiring that Covered Data only be processed for limited and specified purposes consistent with the consent provided by the individual, and that such third parties provide at least the same level of privacy protection as is required by the Principles and notify Change Healthcare if they are unable to meet this obligation. Said agreements also require that third parties cease processing or take other reasonable and appropriate steps to remediate if they determine that they cannot meet the aforementioned obligations. If Change Healthcare receives notice or otherwise becomes aware that a third party is using or disclosing Covered Data in a manner contrary to this Policy or the Principles, Change Healthcare will take reasonable and appropriate steps to stop and remediate any unauthorized processing. Change Healthcare remains responsible and liable under the Privacy Shield Principles if third-party agents that Change Healthcare engages to process the Personal Data on its behalf do so in a manner inconsistent with the Principles, unless Change Healthcare proves that it is not responsible for the event giving rise to the damage.

Required Disclosures

Change Healthcare may be required to disclose Covered Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

Security

Change Healthcare takes reasonable and appropriate measures to protect Covered Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the Covered Data.

Data Integrity and Purpose Limitation

Customer Personal Data

Change Healthcare limits the use of Customer Personal Data to ways that are compatible and relevant to the purposes for which the Customer Personal Data was collected and for which notice was provided or for which consent was obtained. Change Healthcare, in cooperation with its EEA and Swiss Customers and EEA and Swiss Business Partners, takes reasonable steps to ensure that Customer Personal Data is reliable for their intended use, accurate, complete and current. Personal Data will be retained in a form identifying or making identifiable the individual only for as long as it serves a compatible and relevant processing purpose and in accordance with applicable law.

HR Personal Data

Change Healthcare limits the use of HR Personal Data to ways that are compatible and relevant for the purposes for which the HR Personal Data was collected and for which notice was provided or for which consent was obtained. Change Healthcare will take reasonable steps to ensure that HR Personal Data is reliable for its intended use, accurate, complete and current. Data will be retained in a form identifying or making identifiable the individual for as long as it serves a compatible and relevant processing purpose and in accordance with applicable law.

Access

Customer Personal Data

Upon request, Change Healthcare cooperates with EEA and Swiss Customers and EEA and Swiss Business Partners regarding access requests to confirm whether an individual’s Personal Data is processed by Change Healthcare. Change Healthcare takes reasonable steps to provide individuals with an opportunity to verify the accuracy of their Personal Data and, if requested, correct, amend, or delete Personal Data to the extent that such Personal Data is retained by Change Healthcare.

HR Personal Data

Upon request, Change Healthcare grants EEA and Swiss Workers reasonable access to HR Personal Data that it holds about them in an understandable format. Change Healthcare will take reasonable steps to allow EEA and Swiss Workers to verify the accuracy of their HR Personal Data and, if requested, to correct, amend, or delete HR Personal Data to the extent that such HR Personal Data is retained by Change Healthcare.

Recourse, Enforcement and Liability

Change Healthcare conducts periodic training for those with access to Covered Data to enhance awareness of the Privacy Shield Principles. Violations of this Policy may be subject to disciplinary action up to and including termination.

Change Healthcare conducts periodic reviews of its privacy practices to verify adherence to this Policy and its Privacy Shield certification to the U.S. Department of Commerce. Change Healthcare is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Complaints and Dispute Resolution

Customer Personal Data

Complaints may be directed to chiefprivacyofficer@ChangeHealthcare.com, to Change Healthcare's Ethics Line at ChangeHealthcareEthicsLine.com or, in select countries, at the numbers provided below.

Local EthicsLine Toll Free Numbers:
Country Toll-free Number
Australia 1-300-363-295
Canada 1-888-235-8480
N. Ireland 0-808-101-0937
Ireland 1-800-904-115
Israel 1-809-457205
New Zealand 0-800-003882
Philippines 63-2-6263043
United States (includes Puerto Rico) 1-866-206-1106

Change Healthcare will investigate and attempt to resolve complaints in accordance with the Privacy Shield Principles. For complaints that cannot be resolved by Change Healthcare, Change Healthcare participates in the U.S.-based dispute resolution procedures of an independent third party, which are available to you at no cost. Please see below for further information.

If you have any complaints regarding Change Healthcare's compliance with the Privacy Shield, you should first contact us as provided above.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

HR Personal Data

EEA and Swiss Workers may report complaints to their local HR Manager, to chiefprivacyofficer@ChangeHealthcare.com, to Change Healthcare's Ethics Line at ChangeHealthcareEthicsLine.com or, in select countries, at the toll-free numbers provided below.

Local EthicsLine Toll Free Numbers:

Country Toll-free Number
Australia 1-300-363-295
Canada 1-888-235-8480
N. Ireland 0-808-101-0937
Ireland 1-800-904-115
Israel 1-809-457205
New Zealand 0-800-003882
Philippines 63-2-6263043
United States (includes Puerto Rico) 1-866-206-1106

Change Healthcare will investigate and attempt to resolve complaints in accordance with the Privacy Shield Principles. For complaints that cannot be resolved by Change Healthcare, Change Healthcare participates in the dispute resolution procedures of the EU data protection authorities’ panel and agrees to cooperate with the local EEA and Swiss data protection authorities.

In accordance with the Privacy Shield Framework, a binding arbitration option may also be made available to you in order to address residual complaints not resolved by any other means.

Inquiries

If you have questions regarding this Policy or questions about the Personal Data which Change Healthcare may collect, use or share, you may contact us at chiefprivacyofficer@ChangeHealthcare.com. If you are an EEA or Swiss Worker and have questions regarding this Policy or questions about the HR Personal Data Change Healthcare collects, uses or shares about you, or would like to access or update that information, you may contact your manager, your local HR manager, your legal or compliance contact or chiefprivacyofficer@ChangeHealthcare.com. Change Healthcare will respond to all inquiries, concerns or complaints within 45 days.

Changes to the Policy

This Policy may be amended from time to time. Change Healthcare will provide appropriate notice about such amendments.

Policy Definitions:

The following definitions apply throughout this Policy:

"Agent" means any third party that accesses Customer or HR Personal Data to perform tasks on behalf of and under the instructions of Change Healthcare.

"Change Healthcare" means McKesson Technologies LLC DBA Change Healthcare, its predecessors, successors, subsidiaries, affiliates, divisions and groups in the EEA and U.S.

"Customer Personal Data" means any Personal Data, other than in the human resources context that is (1) is transferred from the EEA or Switzerland to the U.S.; and (2) identifies or can be used to identify an individual. This information may be about a Customer's employees and/or patients and may include identifiers such as name, contact information, user access activity data, support records, images, device/location identifier and individual identification numbers.

"Data Processor" means any natural or legal person or any other body which processes Personal Data on behalf of the Data Controller in accordance with the Data Controller's instructions.

"EEA Business Partners" means any natural or legal person in the European Economic Area that does or proposes to do business with Change Healthcare. EEA Business Partners may include service providers, vendors, distributors, re-sellers and/or alliance and teaming parties. This excludes an affiliate of Change Healthcare or its workforce, an EEA Customer or its patients, or any other person that acts in the capacity of an EEA Customer or its patients.

"EEA Customer" means a natural or legal person in the European Economic Area that has procured or proposes to procure products and/or services from Change Healthcare. This applies only to customers of Change Healthcare's Software & Analytics and Imaging Workflow and Care Solutions business units.

"EEA Worker" refers to any person who is employed by or performs services directly for an EEA-based Change Healthcare entity and from whom HR Personal Data is collected, such as employees, contractors, or temporary workers. It includes individuals who apply for positions with an EEA-based Change Healthcare entity.

"Human Resource (HR) Personal Data" means any Personal Data, in the worker context, that (1) is transferred from the EEA or Switzerland to the U.S.; and (2) identifies or can be used to identify an individual. This data may be about EEA or Swiss Workers, Outside Services Workers or candidates and may include information such as name, contact information, individual identification numbers, titles, dates, languages, family information, work status, user access activity data, internet/email/network activity data, facility security records, device/location identifiers, training records, business transactions, compensation, performance ratings, or eligibility for participation in Change Healthcare's benefits programs.

"Personal Data" means any information relating to an identified or identifiable natural person (‘data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means any operation or set of operations performed upon Customer and HR Personal Data whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

"Sensitive Personal Data" means Personal Data, including Customer and HR Personal Data, specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life or sexual orientation of the individual, or genetic or biometric data that unique identifies a natural person.

"Swiss Business Partners" means any natural or legal person in Switzerland that does or proposes to do business with Change Healthcare. Swiss Business Partners may include service providers, vendors, distributors, re-sellers and/or alliance and teaming parties. This excludes an affiliate of Change Healthcare or its workforce, a Swiss Customer or its patients, or any other person that acts in the capacity of a Swiss Customer or its patients.

"Swiss Customer" means a natural or legal person in Switzerland that has procured or proposes to procure products and/or services from Change Healthcare. This applies only to customers of Change Healthcare's Software & Analytics and Imaging Workflow and Care Solutions business units.

"Swiss Worker" refers to any person who is employed by or performs services directly for a Switzerland-based Change Healthcare entity and from whom HR Personal Data is collected, such as employees, contractors, or temporary workers. It includes individuals who apply for positions with a Switzerland-based Change Healthcare entity.

Regulator Mandate: Privacy Shield Privacy Principles

Point of Contact: Change Healthcare Privacy Office: chiefprivacyofficer@ChangeHealthcare.com.