US Rights and Notices

As a global IT and business consulting services organization, CGI is committed to maintaining levels of protection of personal data aligned with best practices in the industry which, as a minimum, comply with the requirements of the applicable data protection legislation and CGI’s contractual obligations.

This policy shall apply when CGI handles or comes in contact with Protected Health Information (PHI), a.k.a. Individually identifiable Health Information (IIHI) as defined by HIPAA, as either a Business Associate (to a Covered Entity) or a Business Associate (subcontractor) to other Business Associates.

All of the requirements in this policy are also flowed down to Business Associates/subcontractors to CGI.

CGI may become a Business Associate when it receives PHI from a Covered Entity; i.e., Business Associate relationships should be documented with a Business Associate Agreement, but may not always be. This policy will apply whether or not a formal Business Associate Agreement exists.

This policy is provided to help you better understand how CGI uses, discloses, and protects PHI in accordance with the terms of Business Associate Agreements and/or HIPAA.

Key Definitions

• Business Associate: A person or entity that creates, receives, maintains or transmits protected health information on behalf of a Covered Entity or other Business Associate.
• Business Associate Agreement or BA Agreement: A formal written contract between CGI and a Covered Entity or between CGI and another Business Associate that requires both parties to comply with specific requirements related to PHI. Business Associate Agreements may have requirements beyond those imposed by statute or regulation.
• Covered Entity: A health plan, healthcare provider, or healthcare clearinghouse that must comply with HIPAA.
• HIPAA: Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the Standards for the Privacy of Individually Identifiable Health Information, at 45 CFR Parts 160 and 164 (“Privacy Rule”), and the Security Standards, at 45 CFR Parts 160 and 164 (“Security Rule”), as amended by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH), and any applicable associated federal rules and regulations.
• Protected Health Information or PHI: PHI means all “individually identifiable health information” (as defined in this paragraph) about an individual’s past, present or future physical or mental health, the provision of health care to the individual, or the past, present or future payment for the provision of health care to the individual. Health information is deemed to be individually identifiable health information under HIPAA if it contains any of the following Individual Identifiers: name, date of birth, address, zip code, telephone number, diagnosis codes, dates of service, admission date, discharge date, date of death, age, member/patient numbers, social security numbers, certificate/license numbers, emails, URLs IP address numbers, images, finger prints, or other biometric markers. Use and Disclosure of PHI

We may use PHI for our management, administration, data aggregation and legal obligations to the extent such use of PHI is permitted or required by the BA Agreement and not prohibited by law. We may use or disclose PHI on behalf of, or to provide services to, Covered Entities and Business Associates for purposes of fulfilling our service obligations to them, if such use or disclosure of PHI is permitted or required by the BA Agreement and would not violate HIPAA.

In the event that PHI must be disclosed to a subcontractor or agent, we will require the subcontractor or agent to abide by the same restrictions and conditions that apply to us under the BA Agreement with respect to PHI, including the implementation of reasonable and appropriate safeguards.

Anytime we use or disclose PHI, we will make reasonable efforts to limit the PHI disclosed to only the minimum information necessary for the purposes at issue. We may also use PHI to report violations of law to appropriate federal and state authorities.

Safeguards

We use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in the BA Agreement. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that we create, receive, maintain, or transmit on behalf of a Covered Entity. Such safeguards include but are not limited to:

• Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
• Providing appropriate training for our staff to assure that our staff complies with our security policies;
• Limiting internal disclosures of PHI to only those members of our staff that need to access the PHI to perform their job duties;
• Making use of appropriate encryption when transmitting PHI over the Internet;
• Utilizing appropriate storage, backup, disposal and reuse procedures to protect PHI;
• Utilizing appropriate authentication and access controls to safeguard PHI;
• Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
• Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed.

Mitigation of Harm

In the event of an unauthorized use or disclosure of PHI due to CGI’s violation of the requirements of the BA Agreement, CGI will mitigate, to the extent practicable, any harmful effect resulting from the use or disclosure. Such mitigation will include:

• Reporting any unauthorized use or disclosure of PHI not provided for by the BA Agreement to the Covered Entity; and
• Documenting such unauthorized uses or disclosures of PHI and information related to such disclosures as would be required for a Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.

Access to PHI

As provided in the BA Agreement, we will make available to Covered Entities, information necessary for the Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.

Upon request, we will make our internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of a Covered Entity available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BA Agreement and HIPAA regulations.

CGI will also make available to the Covered Entity information required for the Covered Entity to provide an accounting of disclosures.

Modification of Records

CGI is not the owner of the records as the Business Associate, therefore, CGI is not responsible for making any record modifications. Should any individual contact CGI for such corrections, the request will be submitted by CGI to the applicable Covered Entity or Business Associate.

Privacy and Security Officers

HIPAA requires that we designate a person or persons who will serve as our “Privacy Officer” and “Security Officer” who is responsible for the development and implementation of our privacy policies and procedures. The US CSG Privacy team will serve as the designate for these roles.

Questions regarding HIPAA may be submitted to privacy.uscsg@cgi.com

Effective: January 1, 2020, updated January 2023

This notice describes the rights of California Consumers under the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”). The CCPA & CPRA require businesses like CGI to provide information on certain topics:

• Selling/Sharing of Personal Information (CGI does not sell/share your personal information as defined in CCPA/CPRA)
• Consumer Rights under CCPA and CPRA
• Categories of Personal Information Collected and sources of that information
• Categories of Personal Information we share for business purposes
• Exercising your Rights

CGI’s standard privacy practices are described in our Privacy Policy.

1. We Do Not Sell or Share Your Personal Information

CCPA /CPRA requires disclosure of whether we sell your personal information. CGI does not sell, rent, release, disclose, disseminate, transfer, or otherwise communicate your personal information as defined in CCPA/CPRA.

2. Consumer Rights under CCPA/CPRA

The CCPA / CPRA provides California Consumers certain rights:

2.1 Right to Request Information

Under CCPA / CPRA, as a California Consumer, you (or your authorized agent) have the right to request a copy of your personal information that is known to CGI. You can request that we disclose the purpose for the categories or specific pieces of personal information Collected, the Categories of sources from where that information is Collected, the purpose for Collecting the information, and the categories of Third Parties with whom we shared it over the past 12 months.

2.2 Right to Delete Personal Information

California Consumers can request that CGI deletes your personal information. You can request that we delete all or specific information and we will process your request unless an exception applies. Possible exceptions may include when the information is necessary to complete a transaction or contract for which it was Collected or when it is being used to detect, prevent, or investigate security incidents, comply with laws, identify and repair bugs, or ensure another consumer’s ability to exercise their free speech rights or other rights provided by law.

2.3 Right to Opt out

CGI does not sell or share your information, so we do not offer an opt-out.

2.4 Right to Notification

Under CCPA/CPRA, CGI cannot Collect new categories of personal information or use them for materially new purposes without first notifying you.

2.5 Right to Limit Use and Disclosure of Sensitive Personal Information

The CPRA allows California Consumers and Employees to direct a business to limit use on collection of sensitive personal information. Requests can be made via phone 888-277-0686 or webform provided in this policy.

2.6 Nondiscrimination for Exercising your Rights/ No retaliation

The CCPA/CPRA prohibits businesses from discriminating against you for exercising your rights under the law. Such discrimination may include denying services, charging different prices or rates for services, providing a different level or quality of services, or suggesting that you will receive a different level or quality of goods or services as a result of exercising your rights.

3. Categories of Personal Information Collect

The CGI Website Privacy Policy describes the information we Collect and its sources. This notice organizes that information around the personal information categories set forth in the CCPA / CPRA.

We use this personal information for the purposes outlined in Section 2 of our Privacy Policy.

4. Categories of Personal Information we share for Business Purposes

While we do not sell your personal information, over a 12 month period, we may share the types of Personal information listed in Section 3 with partners, service providers, and related companies to support our own operational purposes, known as “business purposes” under the CCPA/CPRA, in providing Services to you, as described in the “Disclosure of personal data” section of ourPrivacy Policy.

5. Exercising your Rights

California Consumers have the rights regarding their personal information as outlined above in Section 2 Consumer Rights under CCPA/ CPRA. To submit a request to exercise these rights, complete this webform or see the options listed under Contact Us and provide the following information:

• Whether you are a California resident, or are submitting the request on behalf of another California resident
• Name (Clearly pronounced and spelled)
• Contact information (Phone number or email address)
• Description of your relationship to CGI
• What Rights are being requested – indicate whether you are seeking to:
  • Know what categories of personal information CGI collects
  • Know how CGI uses the information collected
  • Know how CGI shares the information collected
  • Access or receive a copy of the personal information CGI has
  • Request CGI deletes your personal information
  • Request CGI Rectifies your personal information
  • Request opt-out (wherever possible)
  • Request to limit use of sensitive personal information
    California Consumers have the right to designate an authorized agent to make a request on their behalf. When an agent is submitting a request on behalf of a California Consumer, the information above as well as the Agent’s name and contact information should be provided.

Once your identity has been verified, along with the validity of your request, CGI will take the appropriate action in response, free of charge and without discrimination:

• In case of a Request to Know or Access your information, you will be provided the required personal data covering the twelve (12) month period preceding your request;
• In case of a Request to Delete, CGI will delete the personal data collected about you, subject to our right to maintain data for specific purposes as permitted under CCPA.

6. Definitions

Any capitalized term used but not defined herein shall have the meaning as in the CCPA/CPRA.

7. Contact Us

For any questions, contact us at privacy.uscsg@cgi.com (preferred), or call 888-277-0686.

Effective: January 1, 2023

This notice describes the rights of Virginia Consumers under the Consumer Data Protection Act. The Consumer Data Protection Act requires businesses like CGI to provide information on certain topics:

• Categories of Personal Data Processed
• Purpose for Processing Personal Data;
• Exercising Your Rights
• Categories of Personal Data Shares with Third Parties
• Categories of Third Parties with Whom Personal Data Shared

CGI’s standard privacy practices are described in our Privacy Policy.

1. We Do Not Sell Your Personal Information

Virginia’s Consumer Data Protection Act requires disclosure of whether we sell your personal information. CGI does not sell your personal information.

2. Consumer Rights under the Consumer Data Protection Act

The Consumer Data Protection Act provides Virginia’s Consumers certain rights:

2.1 Right to Confirm and Access

The Consumer Data Protection Act provides Virginia’s Consumers certain rights:

2.2 Right to Correct

As a Virginia Consumer, you have the right to correct inaccuracies in your personal data, considering the nature of the personal data and the purposes of the processing your personal data.

2.3 Right to Delete Personal Information

Virginia’s Consumers can request that CGI deletes your personal information. You can request that we delete all or specific information and we will process your request unless an exception applies. Possible exceptions may include when the information is necessary to complete a transaction or contract for which it was Collected or when it is being used to detect, prevent, or investigate security incidents, comply with laws, identify and repair bugs, or ensure another consumer’s ability to exercise their free speech rights or other rights provided by law.

2.4 Right to Request Information

Under the Consumer Data Protection Act, as a Virginia Consumer, you (or your authorized agent) have the right to request a copy of your personal information that is known to CGI. You can request that we disclose the purpose for the categories or specific pieces of personal information Collected, the Categories of sources from where that information is Collected, the purpose for Collecting the information, and the categories of Third Parties with whom we shared it over the past 12 months.

2.5 Right to Opt out of Targeted Advertising, Sales, and Profiling

To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

3. Categories of Personal Information Collected

The CGI Website Privacy Policy describes the information we collect and its sources. This notice organizes that information around personal information categories.

We use this personal information for the purposes outlined in Section 2 of our Privacy Policy.

4. Categories of Personal Information we share for Business Purposes

While we do not sell your personal information, over a 12 month period, we may share the types of Personal information listed in Section 3 with partners, third parties, and related companies to support our own operational purposes in providing Services to you, as described in the “Disclosure of personal data” section of our Privacy Policy.

5. Exercising your Rights

Virginia Consumers have the rights regarding their personal information as outlined above in Section 2 Consumer Rights under Consumer Data Protection Act. To submit a request to exercise these rights, complete this webform or see the options listed under Contact Us and provide the following information:

• Whether you are a Virginia resident, or are submitting the request on behalf of another Virginia resident
• Name (Clearly pronounced and spelled)
• Contact information (Phone number or email address)
• Description of your relationship to CGI
• What Rights are being requested – indicate whether you are seeking to:
  • Confirm and know what categories of personal information CGI holds pertaining to you
  • Correct inaccuracies in your personal data
  • Know how CGI shares the information collected
  • Access or receive a copy of the personal information CGI has
  • Request CGI deletes your personal information
  • Opt out of targeted advertising and/or profiling

Virginia Consumers have the right to designate an authorized agent to make a request on their behalf. When an agent is submitting a request on behalf of a Virginia Consumer, the information above as well as the Agent’s name and contact information should be provided.

Once your identity has been verified, along with the validity of your request, CGI will take the appropriate action in response, free of charge and without discrimination:

• In case of a Request to Know or Access your information, you will be provided the required personal data covering the twelve (12) month period preceding your request;
• In case of a Request to Delete, CGI will delete the personal data collected about you, subject to our right to maintain data for specific purposes as permitted under the Consumer Data Protection Act.

6. Definitions

Any capitalized term used but not defined herein shall have the meaning as in the Consumer Data Protection Act.

7. Contact Us

For any questions, contact us at privacy.uscsg@cgi.com (preferred), or complete this webform .