Patient Privacy | Johns Hopkins Aramco Healthcare
العربية
MyChart Patient Relations

Patient Privacy Policy

JHAH Patient Privacy Policy

JHAH respects your privacy and is committed to protecting your personal data.  This policy describes the types of information we may create or obtain about you and the ways in which we may we collect, use and disclose your personal data. It also describes your rights and certain obligations we have regarding the processing of your personal data in accordance with the Personal Data Protection Law of the Kingdom of Saudi Arabia, and its Implementing Regulations (the “PDPL”).   

 Type of Personal Data Processed

 Personal data is any information, regardless of its source or form, about an individual from which that person can be identified, directly or indirectly. Therefore, your personal data is any information that can be attributed to you personally, and includes, for example, your name, address, identification number, date of birth and contact details.  Personal data also includes more sensitive personal data, for example, personal data relating to your racial or ethnic origin, religious, intellectual or political beliefs, criminal offenses, biometric data, genetic data and health information.

 The personal data which we process includes, but may not be limited to, the following: full name, address, contact number, email address, marital status, date of birth, gender, age, ethnicity, nationality, religion, contact details of parent/guardian/agent, emergency contact/next of kin or nearest relative details, national ID number, medical record number, health ID number, health/medical information (including appointments, hospital visits, tests, diagnoses, treatments, operations, medications, allergies, disabilities, comorbidities, other health conditions, biometrics (such as height and weight), biological information (such as blood type), x-rays, scans, ultrasound images, genetic data, and family medical history), information from research/clinical trials, insurance details or other financial information on payments, and any images that have been captured by CCTV security cameras in our hospital.

 How Personal Data is Collected

 JHAH routinely and legitimately collects personal data in the course of a patient’s enrollment, examination, care or treatment in JHAH’s facilities and/or those of its network of health care providers.  The personal data we process is largely collected directly from you, but sometimes, we may also be need to collect information about you from a third party (such as a relative or another health service provider).

Where we ask you to provide personal data to us on a mandatory basis, we will inform you of this at the time of collection.  Failure to provide certain information when requested, may mean that JHAH will not be able to provide you with the required healthcare services.

Purpose of Processing Personal Data

We collect and use your personal data in order to provide you with health care services and for administrative and internal business purposes related to your attendance at JHAH.  We always use the minimum personal data needed and anonymize data where personal data is not required for the purpose.

Legal Basis for Processing Personal Data

JHAH will only process personal data where it has a legal basis for doing so. We generally process your personal data under one or more of the following basis:

  1. You have given your consent for one or more specific purposes;
  2. The processing is necessary for the performance of a contract to which you are a party;
  3. The processing is necessary for compliance with a legal obligation to which JHAH is subject;
  4. The processing is necessary to achieve your actual interests, provided you are difficult to contact or communicate with; or
  5. The processing is necessary for the legitimate interests pursued by JHAH, except where such interests are overridden by your interests or rights which require protection of personal data or where sensitive personal data is to be processed.

How Personal Data is Stored and Protected

Your personal data may be stored in various forms, including electronic and/or physical (paper) form in accordance with customary practices. JHAH has put in place appropriate technical, organizational and security measures to ensure your personal data is stored securely and protected from misuse, loss, unauthorized access, alteration, disclosure or destruction. We use technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect your personal data. 

How Personal Data May be Used and Disclosed

The following categories generally describe the ways by which JHAH may use and/or disclose your personal data. While every use or disclosure is not listed, all of the ways by which we use and/or disclose your personal data will fall within one of the following categories:

  1. To provide, coordinate or manage the patient’s care with and among the patient’s caregivers – This may include disclosures to, and use by, doctors, nurses, technicians and other professionals both within and outside of the JHAH system, including but not limited to JHAH facilities throughout the Kingdom of Saudi Arabia (such as Dhahran, Al Hasa, Ras Tanura, Udhailiya and Abqaiq), affiliated organizations such as Johns Hopkins Medicine in the United States or elsewhere, and members of JHAH’s network of contracted third party health care providers.
  2. To create bills and collect or process payments for treatment rendered – This may include disclosures to, and use by, the patient’s insurance companies, employers, sponsors, and/or other health care providers. This may also include disclosures to, and use by, third parties who provide accounting, billing and/or related support and services to JHAH or the patient’s other health care providers.
  3. To manage or conduct JHAH system operations and to improve the quality of care provided to patients This may include disclosures and use related to activities to monitor and improve patient care within JHAH and its network of third party health care providers, evaluation, accreditation and/or licensing of health care professionals, preparation for governmental, regulatory or accreditation reviews, training of health care and non-health care professionals, and general conduct of clinical and related operations. This may also include disclosures to, and use by, third party data processing service providers, health care data registries, other data analytics professionals, and consultants engaged by or on behalf of JHAH to support its quality improvement activities or to help manage its operations generally. Information shared for purposes not directly related to an individual patient’s care may be “de-identified” so as to endeavor to prevent the recipient from tracing it to an individual named patient.
  4. To support occupational health decisions – This may include disclosures to, and use by, the patient’s employer, insurance company, sponsor or other health care providers in order to permit sound occupational health decisions for the patient, such as eligibility for medical leave or other benefits and limitations on work-related duties.
  5. To participate in health information exchanges – This may include disclosure to, and use by, third party health care providers or other health care entities, such as the patient’s insurance company, through the health information exchanges (including the Saudi Health Information Exchange) in which JHAH participates in order to facilitate the exchange of patient health information and to connect participating health subscribers through a managed service to provide faster access, better coordination of care and assist providers and public health officials in making more informed decisions.  
  6. To communicate with patients about their care or well-being – This may include use and disclosure of information such as the patient’s name, address and general medical condition to set up or remind the patient about future appointments, provide information about treatment alternatives or other information that may be of interest to the patient, or disclose health-related benefits or services that may be of interest to the patient.
  7. To communicate with family members and others involved in the patient’s care – This may include disclosure of relevant patient health information to family members, friends or personal representatives who are involved with the patient’s care if appropriate to keep them informed of the patient’s condition, to help them understand or assist with the provision or management of the patient’s care, to locate other friends or family members, or – if they are authorized to do so -- to make health care decisions on the patient’s behalf.
  8. To conduct or participate in medical research – Personal data may be used and disclosed in medical research: (i) with the patient’s authorization; or, (ii) when the patient’s name and most other identifiers have been removed; or, (iii) when the research study at JHAH is reviewed and approved by an Institutional Review Board. Limited information may be used before approval of the research study to allow a researcher to determine whether enough patients exist to make a study scientifically valid.
  9. For public health purposes – JHAH may disclose personal data for public health purposes, such as reporting births and deaths, reporting adverse reactions to or safety issues with SFDA-regulated products, reporting infectious diseases to applicable governmental and other health officials, or complying with or demonstrating compliance with rules and regulations of applicable health care oversight and licensing agencies and regulatory bodies.
  10. To comply with laws or other governmental directives – JHAH may use or disclose personal data as required by law or in response to or compliance with a legally valid order, request, demand or other mandate issued by or on behalf of competent legal, administrative or judicial authorities, coroners or medical examiners, law enforcement or child protection officials, national security or public safety agencies or institutions, or other governmental authorities having jurisdiction over JHAH and such information.

Change of Purpose

JHAH will only use your personal data for the purposes for which it was collected. Outside of the purposes stated above, other uses and disclosures of your personal data will be made only with your consent, unless we are otherwise permitted or required by law to do so.

Personal Data Sharing and Cross Border Disclosure

JHAH may disclose your personal data to third parties for the purposes stated above. JHAH (or third parties acting on our behalf) may also store or process your personal data in jurisdictions outside the Kingdom of Saudi Arabia. Where we disclose or transfer your personal data outside of the Kingdom of Saudi Arabia, we will take the necessary steps to ensure that your personal data is protected to the standard required by the PDPL.

Rights Regarding Your Personal Data

Under the PDPL, you have the following rights regarding the personal data we maintain about you: 

  1. Right to be informed – You have the right to be informed about the legal basis and the purpose for which we collect your personal data.
  2. Right of access – You have the right to access the personal data we hold about you by request or via a channel provided by JHAH enabling you to directly access your personal data without the need to make a request, for example, via MyChart.
  3. Right to copy – You have the right to request a copy, in a clear and readable format, of your personal data held by JHAH. You may submit your request via MyChart, if appropriate, or in writing to the Liaison Services.
  4. Right to correction - If you believe that the personal data we have about you is inaccurate or incomplete, you have the right to request that JHAH correct the data. In the case of personal information, such as address, contact details and billing information, you may submit your request via MyChart or the Patient Support Services department, as appropriate. In the case of sensitive personal data, you are required to submit your request in writing to the Data Protection Officer (DPO) as provided below, with an explanation as to why the correction is needed and any supporting documentation. If we accept your request, we will notify you and amend your personal data. We will also notify any third parties who have the inaccurate or incomplete personal data. If we deny your request, we will provide you a written explanation of why we did not make the amendment.
  5. Right to destruction - In some circumstances, you have the right to request that we delete the personal data we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to comply with your request. This depends on, for example, whether we have a statutory obligation to retain the personal data and what lawful basis we have relied upon for the processing. To request deletion, you are required to submit your request in writing to the DPO as provided below.
  6. Right to withdraw consent – In circumstances where we are relying on consent to process your personal data, you have the right to withdraw consent at any time. However, any processing of your personal data made before your withdrawal is not affected by any such withdrawal. If you choose to withdraw your consent, it may mean the care and treatment that can be provided is limited and, in certain circumstances, may not be possible. To withdraw your consent, please submit your request in writing to the DPO as provided below. 

Personal Data Retention

JHAH will only retain personal data for as long as necessary to fulfil the purposes for which it was collected and in order to comply with any legal or regulatory requirements. To determine the appropriate retention period for personal data, we consider whether there is an ongoing relationship, the nature and sensitivity of the personal data, any applicable legal or regulatory requirements and our legitimate business needs.

 Contact Us

If you have any questions, concerns or complaints regarding this policy, the information we hold about you, or if you wish to exercise your rights, you can contact our DPO using the details below.

By email: JHAHClinicalInformatics@JHAH.com

By mail: Johns Hopkins Aramco Healthcare, Clinical Informatics Department, Data Protection Officer, P.O. Box 76, Dhahran 31311, Saudi Arabia

Notice of Changes

JHAH may change or update this policy at any time. The current policy will be published to JHAH’s website or can be obtained by contacting us.

Consent to the Privacy Policy

You acknowledge that you have read and understand this policy and, by signing the Consent to General Treatment, that you consent to JHAH processing your personal data as described within this policy.