Skip to content
Healix

Healix Group Staff Healthcare Privacy Notice

Healix Health Services (Healix) with registered address at Healix House, Esher Green, Esher, Surrey, KT10 8AB, United Kingdom will process your personal data for the purpose of providing the Healix Group Staff Healthcare Plan. The purpose of this Privacy Notice is to describe how Healix collects, uses, retains and discloses your personal information when processing your data for the purpose of providing the Healix Group Staff Healthcare Plan.
Last updated: 11th October 2023

How we collect personal information

For the purpose of setting up this plan Healix Group HR will provide us with all of the relevant information we need to be able to identify you as an eligible member.

If, during the course of this plan, you need to make a claim, we will collect information directly from you to ensure we have all the relevant information for the purpose of helping you and providing the best service. We may need to collect additional information from your treating medical professionals in order to process your claim. If this is necessary, we will require additional signed consent from you.

Consent

Healix rely on your consent as the legal basis for processing your personal and sensitive personal data. You should know that consent can be withdrawn at any time either by sending an email containing the relevant information to privacy@healix.co.uk or sending a letter to the Healix Group Data Protection Officer as detailed below. However without your consent we may not be able to provide the relevant services.

Personal information, use and disclosure 

The following table lists the types of personal information collected by Healix, the purposes for which it is used and who it is disclosed to.

Personal Data


What is it used for?

(Purpose)

Who is it disclosed to?
Contact information
such as name,
address, email
address, telephone
number, date of birth,
reference numbers,
other contact or
identification
information.

To positively
identify and
communicate in
order to provide the
service requested.

Assisting insurers
and/or clients to
confirm applicable
cover where
required.

Compliance with
Healix legal
obligations,
including in relation
to the
administration of
public health.

  • Persons or organisations involved in
    providing the claimant with services,
    or components of services,
    employees, agents, sub-contractors,
    professional advisors (and any other
    persons or bodies having a legal right
    or duty to have access to or
    knowledge of personal data).
  • Persons/organisations involved in
    provision of medical treatment,
    hospital accommodation, public health
    administration and disease control.
  • Organisations involved in the
    payments systems including financial
    institutions, merchants and payment
    organisations.
Health information
including the claimant’s
medical history,
vaccination history,
any current conditions
they may be suffering,
their diagnosis and
prognosis, and details
of medical treatment
received or
recommended.		To enable Healix to
provide the requested
service and to confirm
applicable cover where
required.
  • Persons or organisations involved in
    providing the claimant with services,
    or components of services,
    employees, agents, sub-contractors,
    professional advisors (and any other
    persons or bodies having a legal right
    or duty to have access to or
    knowledge of personal data).
  • Persons/organisations involved in
    provision of medical treatment,
    hospital accommodation, public health
    administration and disease control.
Details of treating
medical professionals,
any associated reports
or information		To enable Healix to
provide the requested
service and to confirm
applicable cover where
required.
  • Persons or organisations involved in
    providing the claimant with services,
    or components of services,
    employees, agents, sub-contractors,
    professional advisors (and any other
    persons or bodies having a legal right
    or duty to have access to or
    knowledge of personal data).
  • Companies in the Healix Group.
  • Persons/organisations involved in
    provision of medical treatment,
    hospital accommodation, public health
    administration and disease control.
Costs associated with
medical treatment.		To enable Healix to
provide the requested
service, confirm
eligibility of services or
applicable cover where
required.
  • Persons or organisations involved in
    providing the claimant with services,
    or components of services,
    employees, agents, sub-contractors,
    professional advisors (and any other
    persons or bodies having a legal right
    or duty to have access to or
    knowledge of personal data).


Healix may furthermore disclose limited personal data to:

  • Public authorities in order to comply with legal and regulatory obligations such as fraud and money laundering prevention and persons/organisations involved in provision of medical treatment, hospital accommodation, public health administration and disease control.
  • Organisations involved in maintaining, reviewing and developing our business systems, procedures and infrastructure including maintaining or upgrading our computer systems. Access is always limited by organisational and technical access controls.
Sharing personal information

Healix will only share personal information with third parties for the purposes described in the table above. Healix Staff Claims Team will not disclose medical information about you to the Healix Group of Companies or Trustee without your consent. Only in exceptional circumstances where there is a legal requirement will Healix disclose medical information to third parties or family members without explicit consent.

How we make sure your data stays confidential and secure

Your personal information is held internally on Healix’ secure servers in the UK. As this is a staff plan being managed internally, a second HHS CMS database has been created to solely service the staff plan. Access and permission restrictions are in place to limit access to the Healix Staff Claims Team.

Healix has implemented the following information security controls to protect your data at all times in compliance with our ISO27001 Certification, best practice information security, the GDPR, Data Protection Act 2018 and Medical Confidentiality Guidelines: 

  • Implementation of a separate HHS CMS Database for the singular purpose of the staff plan.
Applicable information security controls

General Principles

  • The Healthcare Plan is managed internally by a dedicated HHS team and supported by two members of the IT team.
  • Only authorised individuals will have access to the Healthcare Plan data on the CMS.
  • The dedicated phone number will only be available to the authorised HHS team and will be for outgoing call only.

An email distribution list will be created limited to the dedicated Healthcare Plan HHS team. Laptops and mobile phones will be issued that should only be used for the Healthcare Plan. When you are working on a Healthcare Plan claim the following controls apply:

General controls

  • A privacy screen must be in place on the work screen to prevent the screen being accidentally overlooked. 
  • Every effort made to ensure all communications are by email or private phone calls to ensure member’s confidentiality.
  • Use of the dedicated laptop and mobile phone which will enable private conversations which must be held in in a meeting room.
  • All printing only using Secure Print.
  • Compliance with the Clear Desk Policy at all times.

Internal email

  • All emails must have the prefix “HHPlan”.
  • Only sending emails to:
    • The email distribution list;
    • Individuals from the distribution list;
    • The relevant member, unless consent has been obtained to communicate with a third party;
    • External suppliers and providers.

Storage of emails

  • All emails must be allocated to the relevant claim in CMS.
  • All email communications outside of the CMS must be stored in a separate Healthcare Plan folder so they can be easily identified and protected.
  • Always verify the email address and recipient before sending.
  • Storage of documents in F:Drive
    • In the event that any documentation cannot be stored on the CMS, then such documentation must be stored in a locked folder with limited access rights.
    • Never store any documentation in any other folders.

IT Support
If IT support is required, this will be raised personally with the nominated IT individuals and not through an IT Service Desk ticket. If the nominated IT individuals are not available then raise it with the Data Protection Officer.

Your rights

You have the right to:

  • Access a copy of the personal information held by Healix.
  • Correct the information if it is inaccurate.
  • Complete or clarify the information if it is incomplete or equivocal.
  • Erase the information if it has been collected without adherence to legal requirements.
  • Raise a complaint with Healix if you consider Healix has breached its privacy obligations. If you do not believe Healix has been able to satisfy your complaint then you have the right to complain to the Information Commissioners Office (ICO).
Subject access right

You have the right to access Personal Information held about you. To do so you must provide a written request to Healix including as much information as possible (reference number, dates, specific issue etc.) to enable us to comply with your request as quickly as possible. Please see contact details below.

Contacting Healix

Please send any questions or request for access to: privacy@healix.com, or Healix Global Data Protection Officer, Healix House, Esher Green, Esher, Surrey, KT10 8AB, United Kingdom.


A new version of this website is available.