Administrative Guidelines and Standards Document
Index
1 – About the Privacy and Personal Data Protection Policy
Acol Consultoria & Sistemas developed software capable of maintaining the “financial health” of Supplementary Health Plan Operators. Our software automates the process of auditing medical service providers' accounts, enabling a clear view for both sides (operators X service providers) and a significant reduction in unnecessary costs.
The SAUDI System operates by receiving data provided by supplementary health operators and medical service providers, some of which are Personal Data and/or Sensitive Data (“Data”), depending on the software and services contracted by the operators.
Acol, as Data Operator, will process this Data in accordance with the instructions of the Health Operators. In accordance with the new Brazilian legislation nº 13,709, of August 14, 2018 (“General Data Protection Law” or “LGPD”) on the protection of Personal Data, the Personal Data Protection and Privacy Policy (“Policy”) was prepared, with the aim of reaffirming Acol’s commitment to the best practices for protecting the data received.
2 – Objectives
The Policy is used to establish the way in which the Personal Data of Patients from Health Operators are collected, processed, stored and discarded by Acol Consultoria & Sistemas, ensuring that mechanisms are put in place to guarantee the use of Personal Data compatible with the purposes designated by the Health Operators and in accordance with the LGPD, in addition to the use of technical and administrative measures capable of protecting Personal Data.
3 – Definitions
"Controller" – natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data;
"Personal data" – Personal data is considered to be any and all information, regardless of its nature, that directly or indirectly is capable of identifying a natural person, data holder, namely by reference to an identification number or specific elements
of their physical, psychological, physiological, economic, social or cultural identity.
“Sensitive Data” – Sensitive personal data is considered to be data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when
linked to a natural person.
“Health Data” – Personal data relating to the holder’s physical or mental health, including the provision of health services, which reveals information about their past, present or future health status.
“Health Operators” – operators of supplementary health plans, hospitals, clinics, social health organizations and other health institutions, contractors of the SAUDI System, who will act as Controller.
“General Data Protection Law” or “LGPD” – Law No. 13,709, of August 14, 2018.
"Operator" – natural or legal person, governed by public or private law, who processes personal data on behalf of the controller;
“Patients” – These are the patients or beneficiaries of the Health Operators, whose data is used in the SAUDI System.
“SAUDI System” – The definition is in item 1 of this Policy.
"Treatment" – Any operation carried out with personal data, such as those relating to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information,
modification, communication, transfer, diffusion or extraction.
4 – Processing of Personal Data
4.1 – Responsible for the Processing of Personal Data
The Processing of Personal Data or Sensitive Data, as a rule, can only be carried out with the Patient's consent. Health Operators, the Controlling agent under the LGPD, are solely and exclusively responsible for obtaining consent from Patients, which must be free, informed and unequivocal, whereby the Patient agrees to the use of their Data for a specific purpose, in the exact terms of the LGPD.
Therefore, for each service offered by Acol Consultoria & Sistemas, contracted by the Health Operators, in accordance with clause 2 below, specific consent must be obtained from the Patient authorizing the Data Processing, object of each service that makes up the SAUDI System.
Acol Consultoria & Sistemas, therefore, as an Operator under the terms of the LGPD, must carry out Data Processing on behalf of the Health Operators and in accordance with the instructions provided by them, as long as they are lawful and in compliance with the LGPD, through the execution of contract
signed between Acol and the Health Operator.
Acol Consultoria & Sistemas has a trained and specialized team that will carry out the appropriate and necessary Data Processing to meet the purpose of the SAUDI System contracted by each Health Operator.
4.2 – Product
The SAUDI System includes a series of data that depends on the sending, by Health Operators, of Patient Data. The Data collected, the Processing and the purpose of each service, object of the SAUDI System, are described in the table below:
Data type | Data | Goal | Treatment |
|---|---|---|---|
Recipient | Identification data (Name, CPF, Card Number, CNS) Clinical Data (Clinical Indication, Live Birth Certificate Number, Death Declaration Number, Technical Justification) as well as Admission Summary Guides, Third Party Service Guides and SADT, Hospitalization Guides Medical Fees and Medical Consultation Guides Authorization and Observation Password | The SAUDI system automates and simplifies the Medical Bill Audit process, established between Supplementary Health Operators and Medical Service Providers. SAUDI's proposal is to carry out Technical and Administrative, Automatic and Manual Audits on Admission Summary Guides, Third Party Service Guides and SADT, Medical Fee Guides and Medical Consultation Guides. All in the ANS / TISS standard, received via the XML standard or typed directly on the Internet. | Collection, reception, storage, access, processing, use, evaluation, monitoring, reporting, and disposal of Data. |
Provider | Identification data (Provider Code, Trade Name or Provider Name, CPF, ANS Registration, CNES, Address, Telephone, Email, Professional Council Number) and additional observations from the Provider | Collection, reception, storage, access, processing, use, evaluation, monitoring, reporting, and disposal of Data. | |
Healthcare professional | Identification Data (Name, CPF, Signature, Council Number, Professional Code at the Operator, Linked User) | Collection, reception, storage, access, processing, use, evaluation, monitoring, reporting, and disposal of Data. | |
User | Identification data (Name, login, Email, Telephone) | Allows the management of access and incidents/adverse events in healthcare providers | Collection, reception, storage, evaluation, monitoring, report production, and disposal of Data. |
4.3 – Collection, Storage, Use and Disposal of Data
4.3.1 – Data Collection and Reception
Acol Consultoria & Sistemas only collects Patient Data that is strictly necessary within the scope of providing the services offered by the SAUDI System mentioned in item 2 above. The Health Operators are responsible for sending the Data to the SAUDI System. The inclusion of information on the SAUDI System platforms can be carried out, directly and manually, by people authorized to access the SAUDI System indicated by the Health Operators (“Users”), through the XML standard or through a database link.
Each User, through a SAUDI System tool, will adhere to the SAUDI System User Privacy Policy that makes up this Policy.
4.3.2 – Data Storage
After collection and reception by Acol Consultoria & Sistemas, the Data is stored on an online server that is always available in a cloud environment (“Database”) protected against intrusions, leaks and deletions of the Data.
Each Health Operator has direct access only to its own Data, and only Users duly registered with the Health Operator are authorized to access them.
The Database is protected by adopting the controls and procedures adopted in item
“Data Protection” of this manual and in the policies mentioned there.
4.3.3 – Use of Data
The Data is used by Acol Consultoria & Sistemas in accordance with the service contracted by the Health Operator and to meet the purposes described in item 2 above.
4.3.4 – Data Access
Only Users authorized by the Health Operators can have access to the SAUDI System Data and Database.
In addition to processing Patient Data from Health Operators, Acol Consultoria & Sistemas also needs to collect, store, use and discard Personal Data from SAUDI System Users to ensure that only authorized people have access to its platforms.
When beginning its contractual relationship with Acol Consultoria & Sistemas, the Health Operator must share the information of a representative indicated as responsible for the approval and registration of other employees of the Health Operator who may have access to the SAUDI System in that institution. (“User in Charge”).
Once the User in Charge of the SAUDI System has been registered, the Health Operator becomes solely responsible for allowing new users into the SAUDI System. It is up to the User in Charge to delegate access to Acol Consultoria & Sistemas services, as well as the scope of permission that new users will have in the SAUDI System.
To register new Users, the User in Charge must make this User's name and email data available in the SAUDI System.
Each User must accept all the terms and conditions of the Privacy Policy, which makes up Annex I, consenting to the use of their Data by Acol Consultoria & Sistemas for the use of the SAUDI System.
Health Operators must inform Acol Consultoria & Sistemas of the termination of any User from the SAUDI System so that the credentials of these users can be deactivated.
All mechanisms and precautions for protecting Patient Data collected also apply to Personal and/or Sensitive Data of Users of the SAUDI System held by Acol Consultoria & Sistemas.
4.3.4.1 – Acol Professionals with Access to Data
In addition to the Personal Data and Database protection measures described in the “Data Protection” item of this policy, Acol Consultoria & Sistemas grants restricted and limited access to certain Acol Consultoria & Sistemas employees to ensure proper functioning, maintenance, correction and protection of the SAUDI System.
To this end, Acol Consultoria & Sistemas segregates employees who have access to the Database, in addition to ensuring that access to the Database will be via identification and password.
Employees with access to the Database fully adhere to Acol Consultoria & Sistemas' confidentiality policy by signing the Code of Ethics and Conduct.
4.3.5 – Production of Reports
The Health Operator may generate reports related to the contracted service.
The reports generated by Acol Consultoria & Sistemas, as a rule, do not reproduce Personal and/or Sensitive Data, constituting only statistics in relation to events occurring within the Health Operators, independent of the personal identification of Patients.
Only reports that portray the profile of patients use Patient Data, considering that the personal identification of those who receive the treatment carried out by the Health Operator is essential in this case.
All reports generated by the SAUDI System are capable of identifying the User who produced them, ensuring greater control over the circulation of Data.
4.3.6 – Data Disposal
The Data stored in the Acol Consultoria & Sistemas Database will be discarded in the event of a specific order from the Health Operators, or in the event of termination of the contractual relationship between Acol Consultoria & Sistemas and the Health Operator, which will receive a copy corresponding to its Data base.
Acol Consultoria & Sistemas will carry out the disposal within a period of up to 60 (sixty) days after the appropriate request for disposal of the Data by the Health Operator, or the termination of the contract, unless there is an explicit request by the Health Operator or Controller for maintaining the Data in the SAUDI System Database.
Disposal is carried out safely, under the terms required by the LGPD, through a logical exclusion procedure in the Acol Consultoria & Sistemas database. Once the deletion has been carried out, it will not be possible to restore the data after 10 (ten) days.
4.3.7 – Data Processing Flowchart
4.3.8 – Data Protection
Acol Consultoria & Sistemas makes every effort to protect the confidentiality of Data, adopting the best information security practices for the traffic and storage of data and information, including, but not limited to:
The adoption of good security practices, described in the Acol Consultoria & Sistemas Information Security Policy and in the ISO 27001 standards;
Secure data storage, through the adoption of encryption throughout the environment; Carrying out external data transfer for storage (backup), using a secure, end-to-end encrypted environment, not transferring data over a public network;
Cybersecurity security monitoring and alerting;
The segregation of access profiles, so that access to information and Data will be restricted to certain access profiles defined by the Infrastructure Management, described in the Acol Consultoria & Sistemas Information Security Policy.
Acol Consultoria & Sistemas periodically submits itself to a rigorous external information security audit based on the ISO 27001 standard. The data protection carried out by Acol Consultoria & Sistemas, in addition to the measures mentioned above, also includes data protection measures and procedures Data security detailed in the Information Security Policy.
Furthermore, all Employees are committed to protecting the confidentiality of any private information of Acol Consultoria & Sistemas, and must strictly observe the provisions of the LGPD and the policies of Acol Consultoria & Sistemas, committing, in particular, to receive and safeguard all Data that may be accessed, as detailed in the Acol Consultoria & Sistemas Code of Ethics and Conduct.
5 – Processing of Personal Data
Acol Consultoria & Sistemas adopts technical and administrative security measures capable of protecting Personal Data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication or any form of inappropriate or illicit Data Processing.
Acol Consultoria & Sistemas carries out an analysis of the risks to which it is subject related to the confidentiality, integrity and availability of the information received by it.
This risk analysis aims to enable the identification, assessment, treatment, monitoring and communication of operational, technological and image risks, in addition to enabling the development of safer software and the application of measures that eliminate vulnerability and
threats to the breach of security of the network and the SAUDI System.
Acol Consultoria & Sistemas maintains an information security risk management system that has a qualified and specialized IT technical team that:
• Performs qualitative and quantitative analysis of information security risks at Acol Consultoria & Sistemas, creating risk indicators that are constantly monitored;
• Supervises the implementation and maintenance of action plans and achievement of established goals for protecting the information security system;
From information security risk analysis, Acol Consultoria & Sistemas develops, implements and updates its software with the aim of ensuring its efficiency, security and compliance with applicable legislation, including the LGPD, observing the application of the following measures:
• Creation of strong passwords and strict care in distributing permissions to access information in Acol Consultoria & Sistemas databases, in addition to implementing access (logical and/or physical) to prevent any unauthorized access;
• Structuring secure communication channels through which the safeguarded transmission of Data between the SAUDI System is guaranteed;
• Use of tools that reinforce the resilience of the SAUDI System to unwanted attacks and intrusions that pose any risk to the information held;
• Maintenance of tracking records and queries of incidents linked to the security of the SAUDI System, in order to make them available for risk assessment audits;
• Carrying out security tests that confirm that Acol Consultoria & Sistemas software is safe and effective in maintaining the confidentiality of the information collected;
• Implementation of encryption of software and databases operated by Acol Consultoria & Sistemas, in order to reinforce security and the difficulty of unauthorized access to information collected by the SAUDI System.
In addition to the measures already described, Acol Consultoria & Sistemas also reinforces its commitment to data protection, through measures that are for all employees, users or any person custodians of information of Acol Consultoria & Sistemas, Operators of
Health and/or Patients (“Employees”):
• Guidance for Employees regarding care and diligence in Data Processing;
• Carrying out training for its employees, with the aim of ensuring a multidisciplinary team dedicated to guiding and implementing security policies and appropriate data protection mechanisms to mitigate any risk of leakage or misuse of Data in all spheres;
• Application of security tests;
• Restriction of the information that can be accessed by Acol Consultoria & Sistemas Employees to what is strictly necessary to provide SAUDI System services;
• Restriction of access to information at the establishment of Acol Consultoria & Sistemas, with the possibility of remote access to Acol Consultoria & Sistemas Data being an exception that must be approved by the management of Acol Consultoria & Sistemas.
• Periodic verification of all Employees who have access to information from Acol Consultoria & Sistemas, Health Operators and/or Patients, in order to maintain detailed control of who can access the SAUDI System, ensuring that the information
are only viewed by duly authorized people;
• Use of antivirus and other forms of protection for the machines of all Acol Consultoria & Sistemas Employees to ensure that there is no invasion or disruption of the Data carried by Acol Consultoria & Sistemas.
To ensure that Employees comply with the guidelines and measures adopted for Data Protection, Acol Consultoria & Sistemas adopts a Code of Ethics and Conduct, as well as a Confidentiality Agreement that must be signed by all employees, users or any
people who have access to Patient Data.
6 – Responsible for Data Protection
Considering the importance of protecting Personal Data, Acol Consultoria & Sistemas appointed someone responsible for implementing and monitoring this Policy and other provisions related to the General Data Protection Law (“Data Protection Officer”).
To ensure compliance with this Policy and the LGPD, the Data Protection Officer will implement the following measures:
• It will carry out, annually, training for its Employees in all Acol Consultoria & Sistemas business units, on this Policy and the LGPD, which may be in person, by videoconference or other non-face-to-face means, such as via the Web;
• It will apply an annual questionnaire on Policy and the LGPD to be answered by all its employees, partners and administrators;
• It will carry out an annual audit to assess the risks exposed and the measures that can be taken to mitigate the risks or resolve them. This audit will be carried out throughout the SAUDI System – in documentation, hosting, security policies, internal access and
servers.
• Coordinate the updating of this Policy.
7 – Communication of Data to other Entities
Acol Consultoria & Sistemas may hire external audit companies that will, annually, verify and validate the Acol Consultoria & Sistemas information security system.
Acol Consultoria & Sistemas may also transmit Patient Personal Data to third parties, when it deems such data communications to be necessary or appropriate (i) in light of applicable law, (ii) in compliance with legal obligations/court orders, (iii) to respond to
requests from public or governmental authorities or (iv) for the purposes of certification, evaluation and measurement of SAUDI System service levels.
In any of the situations mentioned above, Acol Consultoria & Sistemas undertakes to take all reasonable measures to ensure the effective protection of Personal Data.
8 – Contact
To report matters that they consider appropriate within the scope of this policy, Health Operators and/or Patients may send any request regarding them, in writing, to the following email address: dpo@acol.com.br.
9 – Changes to the Privacy and Personal Data Protection Policy
This Policy is subject to change to better adapt to the General Data Protection Law and the regulations of the National Data Protection Agency.
Acol Consultoria & Sistemas may change this policy at any time, when deemed necessary. If there are substantial changes, you will be informed to review the changes before they take effect. If you do not agree with any of the changes, you can request
closing your user account. In this case, Acol Consultoria & Sistemas will forward your request to the person responsible for the SAUDI System at your Health Operator.
For any questions or concerns about the collection and processing of personal data made by us, please contact us.
