Healix Healthcare Trust Booklet Privacy Notice
1. Who we are
Healix Health Services Limited provide flexible and cost effective corporate trusts including access to private healthcare that is bespoke to clients’ health requirements. Healix Health Services Limited (Healix) has a registered address at Healix House, Esher, KT10 8AB, UK and registration number 3945478.
2. How we collect personal information
For the purpose of setting up this scheme your employer will provide us with the relevant information we need to be able to identify you as a member. Your employer is the Data Controller for this information.
If you need to make a claim we will collect information directly from you to ensure we have all the relevant information for the purpose of helping you and providing the service. We may need to collect additional information from your treating medical professionals in order to process your claim. If this is necessary, we will require additional consent from you.
3. Legal Basis
We rely on the following legal basis for processing your personal and sensitive personal data for the purpose of providing Corporate Healthcare Trust Services:
- For the purpose of management of health systems and services;
- Where processing is necessary for the establishment, exercise or defence of legal claims;
- Processing data may be required in the public interest, such as detection and prevention of fraud.
Healix rely on your consent to:
- Initially open a claim and start specific processing activities (i.e. assess cover);
- Obtain additional medical records from your treating medical professional;
- Share your personal data with the employer;
- Discuss your case with a family member or friend.
You should know that consent can be withdrawn at any time either by sending an email containing the relevant information to the Healix Team Claims Helpline or the Data Protection Officer as described below. We will endeavour to stop the processing activity but you should be aware that where a claim has been opened or where information has been disclosed the processing activity cannot be reversed or stopped. We will retain a copy of your data for evidence and compliance with applicable legal obligations.
4. What Information, Purpose and Disclosure
The following table lists the types of personal information collected by us, the purposes for which it is used and who it is disclosed to.
Personal Information | What it is used for (Purpose) | Who is it disclosed to |
---|---|---|
Contact information such as name, address, email address, telephone number, date of birth, reference numbers, other contact or identification information. | To positively identify and communicate with you in order to provide the service requested. Compliance with our legal obligations, including in relation to the administration of public health | Persons or organisations involved in providing you with services, or components of services, employees, agents, subcontractors, professional advisors (and any other persons or bodies having a legal right or duty to have access to or knowledge of personal data). Companies in the Healix Group. Persons/organisations involved in provision of medical treatment, hospital accommodation. |
Health information including your medical history, vaccination history, any current conditions you may be suffering, your diagnosis and prognosis, and details of medical treatment received or recommended. | To enable us to provide the requested service and to confirm applicable cover where required. | Persons or organisations involved in providing you with services, or components of services, employees, agents, subcontractors, professional advisors (and any other persons or bodies having a legal right or duty to have access to or knowledge of personal data). Companies in the Healix Group. Persons/organisations involved in provision of medical treatment, hospital accommodation. |
Details of treating medical professionals, any associated reports or information | To enable us to provide the requested service and to confirm applicable cover where required. | Persons or organisations involved in providing you with services, or components of services employees, agents, subcontractors, professional advisors (and any other persons or bodies having a legal right or duty to have access to or knowledge of personal data). Companies in the Healix Group. Persons/organisations involved in provision of medical treatment and hospital accommodation. |
Costs associated with medical treatment. | To enable us to provide the requested service, confirm eligibility of services or applicable cover where required. | Persons or organisations involved in providing you with services, or components of services employees, agents, subcontractors, professional advisors (and any other persons or bodies having a legal right or duty to have access to or knowledge of personal data). Companies in the Healix Group. |
Specific to lifetime benefit spend limit schemes: Knowledge of the accumulated lifetime spend and spend per condition is critical to making future cover decisions. To facilitate the continued provision of administrative services to members and dependants of lifetime benefit limit schemes, Healix will transfer minimum personal data to any potential future scheme Administrator for the specific purpose of facilitating ongoing management of the scheme.
We may also need to share limited personal data with organisations involved in maintaining, reviewing and developing our business systems, procedures and infrastructure including maintaining or upgrading our computer systems and persons/organisations involved in public health administration and disease control.
5. Sharing personal information
We will only share personal information with third parties for the purposes described in 4. What Information, Purpose and Disclosure. We will not disclose medical information about you or your dependants to your employer or Trustee without your consent. Only in exceptional circumstances where there is a legal requirement will we disclose medical information to third parties or family members without explicit consent.
6. How we store data
Personal information is held on our secure servers in the UK.
We always aim to minimise the amount of data processed and in particular sensitive personal data. We have strict organisational and technical measures in place to protect your data at all times in compliance with our ISO27001 Certification, best practice information security, the GDPR and Medical Confidentiality Guidelines.
7. International Transfer
All data is stored and processed in the UK and will not be subject to cross border transfer.
8. Automated Decision Making
We use technology to provide a quicker and more consistent service for certain invoice processing activities. You have certain rights when an organisation is making a decision using technology, without a person being involved. You have the right:
- not to be subject to a decision that is based solely on automated processing if the decision affects your legal rights or other equally important matters (eg automatic refusal of an online credit application, and e-recruiting practices without human intervention);
- to understand the reasons behind decisions made about you by automated processing and the possible consequences of the decisions; and
- to object to profiling in certain situations, including for direct marketing
You can exercise your rights by contacting Healix – please see the contact information in the section “Contacting Healix or make a complaint”.
9. What are your Rights?
Under Data Protection legislation, you have rights in regards to your Personal Data. You can exercise your rights at any time by contacting the Healix Group Data Protection Officer (details are provided at the end of this policy). You have the right to:
- Withdraw consent. Where we are relying on your consent to process your Personal Data, you have the right to change your mind and withdraw that consent.
- Request access to your Personal Data and be informed and provided with clear, transparent and easily understandable information about how we process your
- Personal Data (please see “Subject Access Right” below). This Privacy Policy is provided for this purpose.
- Request rectification of your Personal Data held by us if it is inaccurate.
- Request that we erase the Personal Data if it has been collected without adherence to legal requirements or is no longer needed, in accordance with this policy.
- Request restrictions to the data processing activity in situations where you believe we no longer need to process your Personal Data.
- Complain if you consider we have breached our privacy obligations (see “Contacting Healix or making a complaint”, below).
10. Subject Access Right
You have the right to access Personal Data held about you. To exercise this right we would prefer that you provide a written request to us including as much information as possible (dates, specific issue etc.) to enable us to comply with your request as quickly as possible. You can however also make a verbal request. In responding to your access request we will
confirm what data we process and what we use it for, who we share it with, how we collected it and how long we keep it.
To make an access request please contact us using the contact details below under the section “Contacting Healix or make a complaint”.
11. Contacting the Healix Data Protection Officer
Please contact us if you have any questions about anything in this Notice or think that your Personal Data has been misused or mishandled:
- Email: privacy@healix.com
- Healix Teams Claims Helpline on 02087633287
- Letter: Healix Group Data Protection Officer, Healix House, Esher Green, Esher, Surrey, KT10 8AB, UK.
We will treat your requests or complaints confidentially and contact you within a reasonable time after receipt of your communication to address your concerns and outline options
regarding how they may be resolved. We will aim to ensure that your complaint is resolved in a timely and appropriate manner.
If you do not believe your complaint is managed appropriately you have the right to escalate the complaint to your national data protection supervisory authority if you do not believe Healix has addressed your concerns. If you are located in the UK the independent regulator is the Information Commissioners Office: casework@ico.org.uk
Please also see the Healix Privacy and Cookies Policy for further information.
12. Definition
‘Dependant’ means a member’s partner (if a member gets divorced their partner will no longer be considered as a dependant for the purpose of this scheme) and a member’s unmarried dependent children.
‘Member’ means an employee or dependant covered under the Scheme.
‘Scheme’ means your employers Corporate Healthcare Scheme, of which you are a member.
‘Treatment’ means surgical or medical services (including diagnostic tests and consultations). This includes but is not limited to diagnostics tests, scans, and surgical procedures.
‘Trustee’ means any trustee or trustees for the time being of the healthcare scheme.
‘We’, ‘Us’ and ‘Our’ means Healix Health Services Ltd., Healix House, Esher Green, Esher, KT10 8AB, UK.
‘You’ and ‘Your’ means the eligible member and their dependants, if eligible.
Website Traffic
In order to improve our website structure and functionality, we count the number of visitors and how visitors move around the website. More specifically, we are tracking the following fully anonymised information:
- Masked 2 byte(s) IPs - e.g. 192.168.xxx.xxx
- Date and time of a page request
- Title of the page being viewed (Page Title)
- URL of the page being viewed (Page URL)
- URL of the page that was viewed prior to the current page (Referrer URL)
- Screen resolution being used
- Time in local user’s timezone
- Files that were clicked and downloaded (Download)
- Links to an outside domain that were clicked (Outlink)
- Pages generation time/Page speed (the time it takes for webpages to be generated by the webserver and then downloaded by the user)
- Main Language of the browser being used (Accept-Language header)
- User Agent of the browser being used (User-Agent header)
We are not collecting personal data