Olema - Privacy Policy
Olema Pharmaceuticals, Inc.
Privacy Policy
Owner: Legal
Effective Date: February 20, 2021
Last Review Date: January 1, 2023
The purpose of this Privacy Policy is to set out the principles governing the use of information relating to an identified or identifiable individual (“Personal Information”) and Protected Health Information (PHI).
Statement of Policy
- In the course of conducting our business, we may collect Personal Information (PI) and PHI about employees, patients, customers, business partners, and others.
- The Processing of PI and PHI may impose legal obligations including an obligation to keep such information confidential and secure.
- Maintaining the confidentiality of PI and PHI is also critical to maintaining the trust we build with our employees, patients, customers, business partners, and others.
- It is Olema’s policy to keep such information confidential and secure in accordance with
applicable privacy laws and regulations.
Scope
The policy is applicable to all employees, officers, consultants and our vendors.
Definitions
Business Associate Agreement (BAA): When a Covered Entity engages a business associate to help carry out its health care activities and functions, the Covered Entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do; and requires the business associate to comply with Health Insurance Portability and Accountability Act (HIPAA).
California Consumer Protection Act (CCPA): The CCPA grants California consumers various rights with regard to personal information including how personal information is held by certain businesses and requires businesses to comply with consumer requests related to that personal information.
Covered Entity: A covered entity under HIPAA includes healthcare providers (such physicians, hospitals, academic medical institutions, clinics and pharmacists), health plans, and healthcare clearinghouses. Olema Oncology is NOT a Covered Entity.
Health Insurance Portability and Accountability Act (HIPAA): A US law designed to provide privacy standards to protect patients' medical records and other health information provided to health plans, healthcare providers, hospitals and other health care providers
Healthcare Professionals ("HCPs"): Any individual or entity that can, in his or her professional capacity, influence the use, purchase, prescription or recommendation of Olema products, or affect the formulary or other preferential or qualifying status of Olema products, or participates in, influences, or directs clinical research, including but not limited to physicians, nurses, pharmacists, medical students, teaching institutions, formulary committee members, and clinical trial investigators.
- Personal Information (PI):
6.1. “Personal Information” includes any information that alone or in combination with other data can be used to identify or link to a person or household, such as a name or initials, address, phone number, e-mail address, or IP address.
6.2 “Personal Information” includes personnel data pertaining to our employees, customers or other individuals and similar types of information provided to us by our customers, suppliers and partners.
6.3 Some Personal Information is considered “Sensitive Personal Information” while other PI is non-sensitive. Non-sensitive PI might include information that is found on a business card or which is otherwise made available to the general public with the consent of the individual.
7. “Processing” or “Process” means any operation or set of operations which is performed on personal information or on sets of personal information such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
8. Protected Health Information (PHI):
8.1 PHI is any information about health status, provision of health care, or payment for healthcare that is created or collected by a Covered Entity, and can be linked to a specific individual.
8.2 Health information such as diagnoses, treatment information, medical test results, and prescription information are considered protected health information under HIPAA, as are national identification numbers and demographic information such as birth dates, gender, ethnicity, and contact and emergency contact information.
9. Sensitive Personal Information (SPI):
9.1 SPI is a subset of Personal Information that is generally considered to include more private details about an individual and may trigger additional requirements under the law.
9.2 Sensitive Personal Information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
9.3 SPI may include financial information, social security number, driver license number,
information about an individual’s race, ethnicity, religion, sex life/sexual orientation, health insurance information and information about a person’s physical or mental health.
Policy Guidance
10. “Data Minimization”: Collecting Personal Information
10.1 Only collect PI where there is a business purpose, do not collect more data than you need for that purpose, and keep it only for as long as necessary.
11. “Need to Know”: Sharing Personnel information
11.1 Share PI only with employees, authorized third parties and others who have a clear business need for such information.
11.2 Do not use PI for purposes incompatible with the purpose for which it was originally collected.
12. Sensitive Personnel Information: There are heightened policy requirements applicable to SPI:
12.1 Collecting SPI may impose additional legal requirements on Olema, and SPI should only be collected where there is a legitimate purpose for collecting such information. A legitimate purpose is where the information is necessary to perform a specific purpose and individuals can reasonably expect the company to collect the information. Examples of such legitimate purposes include collecting SPI from job applicants, or from employees during benefits enrollment, or from vendors to complete contracts, or as required to fulfill tax reporting obligations. Please consult Legal for further guidance on collecting SPI.
12.2 Always keep SPI confidential and only use or disclose it consistent with a legitimate purpose.
12.3 Ensure documents containing SPI are not accessible to casual visitors, passersby, or other
individuals within the office without a “need to know.”
12.4 Paper records containing SPI must be stored in locked file cabinets; offices where SPI is held should be locked and secured after business hours; user IDs, passwords, encryption, firewalls should be employed to protect SPI stored in electronic format.
12.5 Use encrypted emails to send SPI whenever possible. If encrypted email is not available, save SPI in a separate document and password-protect it.
12.6 Employees and officers should not send company business information, including PI, to their personal email.
12.7 Do not post SPI on shared drives, or multi-access calendars that can be accessed by
individuals who do not have a “need to know.
12.8 Seek guidance from the Olema Legal Department before sending SPI electronically or physically to recipients in foreign jurisdictions.
13. Consumer Requests:
13.1 Certain privacy laws, including the CCPA, give broad consumer rights with regard to PI and how companies may Process the information.
13.2 Consumers may have the right to obtain access to and get a copy of or ask Olema to delete the PI that Olema holds and Processes about them.
13.3 If you receive any consumer request regarding PI, you must immediately forward it to the Legal Department.
14. PHI and Patient Privacy:
14.1 Olema personnel should avoid situations in which they may be exposed to PHI without an individual’s consent. In the event an HCP or other person exposes Olema personnel to PHI, Olema personnel should not document or reproduce the information in any media or form.
14.2 Olema should refrain from entering into BAAs with a Covered Entities. Please consult
Olema’s Legal Department regarding any questions about requests to enter into a BAA.
15. Obtain Patient Consent Where Appropriate:
15.1 In certain circumstances, it may be appropriate or even necessary for Olema to receive PHI from patients or consumers as part of certain approved activities. Olema must ensure that the appropriate patient consent has been obtained prior to receiving such PHI. Please consult the Olema Legal Department regarding any such activities.
16. Retaining Personal Information
16.1 Properly destroy records containing PI in accordance with Company guidance. Please consult with the Olema Legal Department regarding this topic.
16.2 Disclosure/Data Breach: Access to PI and PHI, in particular, collection of such information imposes an obligation to keep that information confidential and secure. Promptly inform the Olema Legal Department when such information is lost, stolen or used or disclosed inappropriately.
Exceptions to the Policy
All exceptions to this policy require the approval of Legal.
Disciplinary Action
Non-compliance with these policies can subject Olema employees and consultants to disciplinary actions up to and including termination.
Further, improper activities that violate one or more of laws and regulations could result in criminal and civil penalties for the individual and the company.