Global Privacy Policy

INTRODUCTION

At Sagility*, we are committed to protecting, maintaining the Privacy and Confidentiality of personal and health information (PHI) that is entrusted to us. This Privacy Policy outlines our practices and the possible uses of the information we collect, use, disclose and safeguard the information. As well, this document contains Sagility’s Privacy Principles and governs and supports all the business activities of Sagility in our processing of protected health Information (PHI) that: (1) is involved in providing or receiving services or products, (2) sends you communications, or (3) posted a position for which you are applying.

PURPOSE

The Privacy Principles are the basic rules that guide the Company’s efforts as they relate to privacy and the handling and protection of personal information. These Privacy Principles is published for all internal and external audiences, including clients, associates, employees, and contractors.

SCOPE & APPLICABILITY

This policy is applicable to all the Sagility entities within the US and Sagility affiliate entities across India, Philippines, Jamaica, and Colombia. This policy applies to all personal health information (PHI) related to the business operations, Employee Personal Records, Suppliers, Onsite-contractor employee data that will be maintained by the Sagility; that we handle, including digital, paper, and verbal communications. It pertains to all employees, contractors, and partners who may have access to such information. This document will govern all healthcare business activities that involve the processing of PHI undertaken by Sagility and any person working under Sagility’s direction or control and in accordance with CMS and Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the HIPAA Omnibus Rule of 2013 as defined in the HIPAA Privacy Rule and states specific privacy laws as applicable.

And, in relation to Employee, Supplier or Contractor’s information/data, the respective governing Laws including but not limited to: The US Labor & Employment Law as be applicable, The Philippines Data Protection Act, 2012; Indian Personal Data Protection Act, 2023, Jamaican Data Protection Act, 2020; Colombian Fundamental Data Protection Rights Provisions under its Constitution Art. 15 & Art. 20 – Law No.1581 of 2012.

This Policy is applicable to all Personal Data collected, received, possessed, owned, controlled, stored, dealt with, or handled by Sagility in respect of an individual. Personal Data and information that Sagility handles for its clients in the context of providing technology and outsourcing services shall be processed according to the contractual provisions and specific privacy practices agreed upon with each client, as applicable.

POLICY STATEMENT/S

At Sagility, we are committed to safeguarding the privacy and security of Personal Health Information (PHI), Personally Identifiable Information (PII) in accordance with applicable laws and regulations, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA) and the applicable Data Protection Laws within our operating jurisdictions. This privacy statement outlines our practices concerning the collection, use, disclosure, and protection of PHI and PII.

The Privacy Policy expounds upon the Privacy Principles and provides guidance on actions Sagility is to take relating to personal data. Compliance with the Privacy Policy and Principles is mandatory for all Sagility personnel, other internal stakeholders, including external parties. The Privacy Policy includes common questions concerning the Company’s privacy program, its privacy practices, and areas of general privacy concern.

INFORMATION COLLECTION

Sagility collects, uses, processes, and stores personal data as needed for human resources and employment processes from current and prospective employees. Sagility collects this information only in a reasonable and lawful manner and in accordance with our contracts with healthcare providers, vendors, employees, and others as permitted by law. The types of information that may be collected either directly or indirectly, includes but not limited to:

For Clients

Sagility collects and uses PHI and PII as needed to deliver its products and services and manage its business. We collect personal data consistent to the fulfilment of contracts and agreements. Sagility uses such personal data only for relevant, appropriate, and customary purposes, such as:

Providing information on our services
Providing advice and answering client inquiries and requests
Inviting individuals to Company events
Processing contracts and transactions
Administrating accounts
Service management and analysis
Government reporting and other legal and expected business-related purposes
Patient identification details (e.g., name, address, date of birth)
Medical history and current health status
Insurance details
Treatment records

For Employees

Contact Information
Employment preferences
Educational and employment background
Personality attributes and skills
Licenses, certifications, and other credentials
Organizations and affiliations
Government-issued information and/or certifications or clearances
Special categories of personal data including but not limited to gender, biometric data, data concerning health.
Registration data including systems assigned identifiers and captured photo.
Details of administrative, civil, or criminal offenses

For Vendors, Suppliers

Sagility collects personal data about individuals who are employed by our suppliers and vendors in accordance with requirements under the Office of Inspector General (OIG), Health and Human Services (HHS) and Federal and State Laws as applicable. This contact information and other personal details are used to administer existing and future business arrangements and Federal and/or State reporting requirements.

Website Enquiries:

Sagility collects personal data about individuals who enquire on our services through the “Contact Us” website page. We collect the information for the purposes of responding to enquiry and for providing details of services and offerings.

Others (Including the Whistleblower Hotline Emails)

Additional personal data may be collected, used, and disclosed for the purposes for which it was collected and for legal compliance purposes, including regulatory reporting, investigation of allegations of wrongdoing, and the management and defence of legal claims and actions, and compliance with subpoenas, court orders and other legal obligations in accordance with the respective Federal, Union, National and State/Regional Laws.

USE OF INFORMATION

Business Healthcare Operations:

The PHI we collect is used solely for the purposes of fulfilling our contractual obligations, including but not limited to:

– Processing medical claims

– Providing customer support

– Conducting billing operations

– Other activities / purposes as agreed with respective client under a Contract.

– Patient identification details (e.g., name, address, date of birth)

– Medical history and current health status

– Conducting Initial Clinical Reviews for Utilization Review determination that are within clinical guidelines

– Other purposes as agreed with healthcare clients

Employee / Contractor / Supplier:

The information that we collect from employees is solely used for employee administration within the organization, reporting to the appropriate government (as may be necessary), management of statutory benefits and wages.

DISCLOSURE OF INFORMATION

PHI will not be disclosed outside of Sagility except:

– As necessary to fulfil the service obligations as outlined in our contracts with healthcare providers

– When required by law, such as in response to a subpoena or other legal process

– To our subcontractors who agree to comply with the terms of this policy

DATA PROTECTION

We implement a range of security measures to protect PHI against unauthorized access, alteration, disclosure, or destruction. These include:

– Encryption of digital information

– Secure storage facilities for physical records

– Regular security audits and vulnerability assessments

TAILORING GUIDELINES

Sagility shall periodically review the changes to applicable law concerning handling of personal information including its collection, storage, protection, and disposition. As may be applicable, certain State specific regulation may apply in relation to handling of client related information, in such events, Sagility’s workforce shall comply and adhere to such State specific privacy regulation that are in line with the client policies and procedures.

As Sagility is a BPM provider and is bound by the respective client’s contract. To the extent of client’s business operation processes, the Notice of Privacy Practice of the respective clients shall prevail over this policy. Additionally, information handling procedures related to client business operations, the workforce shall adhere and comply to the respective client’s policy related to information handling which includes modification, change or deletion of information.

EXCEPTIONS TO THE POLICY

Exceptions Handling: While we are committed to protecting the privacy and security of PHI and PII, there may be certain exceptions where we may need to use or disclose information beyond the scope outlined in this privacy statement. These exceptions may include:

Legal Obligations: We may be required to disclose PHI or PII in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Emergency Situations: In situations involving imminent danger to an individual’s health or safety, we may use or disclose employee PII to prevent harm.
Business Transfers: In the event of a merger, acquisition, or sale of assets, employee PII may be transferred as part of the transaction. In such cases, we will ensure that appropriate protections are in place to safeguard the information.
De-identified Information: We may use or disclose de-identified information that does not identify individuals for research, statistical analysis, or other purposes, without restriction.
Consent: In certain circumstances, we may use or disclose employee PII with the individual’s explicit consent or authorization.
Health or Safety: We may disclose employee PII to authorized individuals if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Compliance with Policies: We reserve the right to use or disclose employee PII as necessary to enforce our policies and procedures or to protect our rights, property, or safety.

It is important to note that any use or disclosure of employee PII under these exceptions will be limited to the extent necessary to fulfil the purpose of the exception and will be subject to applicable legal requirements and safeguards. We will make reasonable efforts to notify affected individuals about any such exceptions, unless prohibited by law or necessary to protect the integrity of an investigation or legal proceeding.

ACCESS CONTROLS

Access to PHI is restricted to authorized personnel only, based on their role and function within the organization. All employees and contractors are required to complete training related to privacy and security policies.

BREACH NOTIFICATION

In the event of a breach of any PHI, we will:

– Notify affected individuals and clients promptly, in accordance with applicable laws and agreements

– Investigate the breach and take necessary corrective actions

– Document incidents and measures taken

POLICY UPDATES

This privacy policy may be updated periodically to reflect changes in our practices or relevant laws. Any changes will be posted on our website with an updated revision date.

CONTACT INFORMATION

For any questions or concerns regarding our privacy practices or the handling of PHI, please contact:

Privacy Officer Name	Privacy Officer Contact Information
Madhusudhan DS, Vice President Healthcare Compliance – India & Philippines	[email protected]
Nan Sloan-Slaughter, Senior Director Head of US, Jamaica & Colombia	[email protected]

ACKNOWLEDGMENT OF PRIVACY PRACTICES

All employees and contractors of Sagility are required to acknowledge that they have read, understood, and agreed to adhere to this Healthcare Privacy Policy and related procedures.

ABBREVIATIONS, TERMS AND DEFINITIONS:

Abbreviation	Expansion
PHI	Protected Health Information
SPI	Sensitive Personal Information
PII	Personal Identifiable Information
CMS	Centres for Medicare and Medicaid Services
OIG	Office of Inspector General
OCR	Office of Civil Rights
HHS	Department of Health and Human Services
HIPAA	Health Insurance Portability and Accountability Act

Terms and Definitions:

Terms	Definition
PHI	The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).
HIPAA Privacy Rule	The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used.
HIPAA Omnibus Rule 2013	The HIPAA Omnibus Rule of January 2013 was comprised of four Final Rules which were combined into one Omnibus Rule to reduce the impact of the changes and the number of times covered entities and business associates would need to undertake compliance activities. Although effective in March 2013, some of the changes were already in force due to Interim Rules having been issued following the passage of the HITECH Act in 2009.
HIPAA Omnibus Rule 2023	In 2023, HIPAA aims to increase patient access to PHI and EHRs. The refinement of HIPAA’s Privacy Rule includes: • Individual rights to inspect, take notes, and photograph their PHI and EHR • A patient’s ability to direct their information to a third-party business with a reasonable cost-based fee
The Philippines Data Protection Act, 2012	The Philippines Data Privacy Act protects the fundamental human right of privacy of Filipinos, ensures the free flow of information, and promotes responsible data handling in the government and private sectors. The act’s mission is to highlight the importance of safeguarding individual data in the modern data-driven digital landscape. This blog provides a concise overview of the Act, including its scope, data subjects’ rights, obligations for data controllers, and the significance of compliance.
Indian Personal Data Protection Act 2023	The framework protects the personal data of data principals and restricts the activities of data fiduciaries. In many ways, the DPDP replaces the limited data protections afforded by the Indian Information Technology Act of 2008 and bolsters India’s overall privacy laws. In addition to providing guidelines for data security and data privacy, the DPDP also established the Data Protection Board of India to help enforce its protocols.
Jamaican Data Protection Act 2020	This act creates the legal blueprint for how data within Jamaica should be collected and processed. It also sets the framework for penalties that can be imposed on individuals and organizations who do not comply with the guidelines of this act.
Colombian Fundamental Data Protection Rights Provisions under its Constitution Art. 15 & Art. 20 – Law No.1581 of 2012	Colombia recognizes two fundamental personal data rights under Articles 15 and 20 of its Constitution: (1) the right to privacy and (2) the right to data rectification. Personal data processing is further regulated by two statutory laws and several decrees that set out data protection obligations.