Patient Data Privacy Statement
Siemens Healthineers USA1 (Siemens Healthineers) recognizes the need for customers to understand its compliance with applicable United States and international privacy and security laws and regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for the protection of Protected Health Information (PHI) and the modifications to HIPAA under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). This Patient Data Privacy Statement describes Siemens Healthineers’ overall approach and commitment to privacy and security.
Product Manufacturing and Development
Siemens Healthineers manufactures, sells, and delivers a variety of medical imaging and diagnostic devices, as well as related systems, supplies, accessories and reagents (Products), that are subject to applicable requirements for medical devices under the United States Food and Drug Administration (FDA). Siemens Healthineers is aware of medical device cybersecurity guidance issued by the FDA and persistently monitors all new FDA guidance and publications. Siemens Healthineers maintains a robust product solution security program so that cybersecurity and privacy-by-design principles are appropriately addressed throughout the product lifecycle, and in accordance with applicable laws and regulations.
Product Service and Support
Siemens Healthineers offers application training, support, and equipment maintenance and repair services related to its Products. In order to effectively support its customers, Siemens Healthineers may occasionally encounter PHI when troubleshooting and handling Product issues. However, whether providing such services onsite or remotely, most issues can be addressed solely based on technical information, without any access to PHI whatsoever. If access to PHI should occur during a service event, it would typically be incidental in nature, temporary, and limited to the minimum necessary to accomplish the intended purpose. This is supported by system design and operational controls and procedures. Other than the exceptional situations in which minimized PHI may be provisionally provided to address a particular service or support event, Siemens Healthineers does not store or maintain PHI on behalf of customers in their use of the Products. PHI that may be retained on the imaging and diagnostic systems remain at the customer’s site, on the customer’s network, and under the customer’s control.
Digital Health Services and Value-Added Solutions
Siemens Healthineers also provides Digital Health Services and other value-added solutions involving the handling of customer data for population health, benchmarking, data analytics, decision support, and related consulting, which may include PHI, limited data sets, or de-identified data. To the extent any Digital Health Services involve the hosting of customer data, this is done using highly-secured cloud computing environments provided by trusted, certified cloud service providers, and in compliance with all applicable laws and regulations, including HIPAA and HITECH.
Privacy and Security Commitment
Siemens Healthineers is committed to privacy and security. Siemens Healthineers maintains policies and procedures for compliance with applicable laws and regulations that are relevant to the Products and services provided. Siemens Healthineers also maintains a comprehensive data protection and security program that includes administrative, physical, and technical safeguards that are reasonable and appropriate to protect the confidentiality, integrity, and availability of electronic PHI that may be received, maintained, stored, or transmitted by Siemens Healthineers on behalf of customers. Such obligations are also imposed upon all contractors that may handle PHI on behalf of Siemens Healthineers, in compliance with HIPAA and HITECH and other applicable laws. In the unlikely event of a privacy breach, Siemens Healthineers maintains procedures to promptly notify the affected customer(s) to meet legal and regulatory reporting requirements and to efficiently resolve the issue.
Only those employees who have service or support responsibilities with a “need to know” to perform their job will have access to customer data, which may include PHI. Such access is controlled and monitored. Siemens Healthineers personnel may not use or disclose any PHI except for the purposes of performing their job functions and are obligated to comply with all applicable laws, regulations and corporate policies. Any PHI that may be received by Siemens Healthineers is kept secure to maintain its confidentiality and is securely destroyed or returned once the use or disclosure is no longer necessary or permitted. Siemens Healthineers maintains policies and procedures to protect and safeguard PHI, including minimum necessary use and disclosure, and sanctions for those who should violate these policies. Siemens Healthineers employees receive training which emphasizes that all customer data is confidential and must be protected at all times.
Additional information regarding Siemens Healthineers’ approach to data privacy and security for remote service is provided in the Siemens Remote Service (SRS) Security Concept Document. The latest copy of this document is available to customers from their Siemens Healthineers representative upon request. In addition, Siemens Healthineers maintains certification for its SRS platform under the International Standards Organization (ISO) 27001 privacy and security standards. Siemens Healthineers’ ISO 27001 compliance certificate is also available upon request, as well as a list of the controls and objectives upon which the ISO certification is based.
Additional information regarding the privacy and security of Digital Health Services involving hosting of data will be made available to customers from the applicable cloud service provider(s) relevant to particular offerings.
Further inquiries related to this Patient Data Privacy Statement or Siemens Healthineers’ approach to data privacy may be directed to the Siemens Healthineers USA Data Privacy Office at: firstname.lastname@example.org.
1Siemens Healthineers USA is comprised of Siemens Medical Solutions USA, Inc. and USA-based controlled affiliates, Siemens Healthcare Diagnostics Inc. and PETNET Solutions, Inc.