MedStack Technology Compliance Policies

Information privacy

General

  • Comply with all privacy and data protection laws, regulations, and rules in each jurisdiction where we conduct business.
  • The Privacy Official is the Chief Technology Officer (CTO).
  • Commit to respecting the privacy rights of individuals and to the protection of their personal health information.

We do not directly collect, use or disclose PHI

  • We provide technical services for companies who provide services to individuals, Health Information Custodians (HICs) or Covered Entities (CEs)
    • HIPAA: We serve Business Associates
    • PHIPA: We serve Electronic Service Providers or Health Information Network Providers
  • We rely on our customer to manage the following aspect of PHI
    • consent and consent directives
    • collection and limitation of collection
    • use, disclosure and retention
    • accuracy
  • If a request, complaint, or issue regarding patient rights, use or disclosure of PHI, accuracy or privacy occurs
    • Inform the requester that we do not manage this directly.
    • Direct the requester to the relevant customer.
    • Document the request and the action taken.

Safeguard privacy

  • Apply appropriate physical, administrative and technical safeguards to protect PHI against loss or theft, or from unauthorized access, disclosure, copying, use, disposal or modification.

Publish a Privacy Notice

  • Publish a Privacy Notice on our website and in our applications, that provides specific information about our policies and practices relating to our handling of PHI.

Inquiries, complaints, and disputes from data subjects

  • Refer requests to our customers
    • Refer requests by individuals for access to their PHI, or correction of their PHI, that is stored in our systems, to our customer who manages that individual’s data.
    • Implement functionality in our systems and associated business processes to enable our customers to provide individuals with access to their PHI and to make corrections or amendments to the records.
  • Handle compliance challenges
    • An individual shall be able to challenge our compliance.
    • Challenges must be submitted in writing to the Chief Compliance Officer.

Implement an Information Privacy Program

  • Provide privacy and security training for our employees and contractors.
  • Have a signed a confidentiality agreement with all of our employees and contractors.
  • Implement a process to receive, investigate and resolve questions or complaints from individuals, substitute decision makers and the public.
  • Implement a program to monitor and audit access to records of PHI to detect privacy breaches.
  • Investigate privacy breaches and make recommendations for corrective action to avoid similar breaches in the future.
  • Ensure that agreements or contracts with third parties who require access to PHI, contain provisions to adequately protect PHI.

Verify compliance

  • Verify compliance to this policy through various methods, including but not limited to
    • business tool reports
    • internal and external audits
    • and feedback to the policy owner

Enforcement

  • Responsible party: All managers and supervisors

References

CodeSectionTitle
ISOA.18.1.4Privacy and protection of personally identifiable information
CHIPR1Accountable Person
CHIPR3Privacy Policy
Canadian Standards Association (CSA) Model Code for the Protection of Personal Information
HIPAA164.502Uses and disclosures of protected health information: General rules.
SOC2CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2P1.1The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.
SOC2P1.1The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.
SOC2P2.1The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.
SOC2P2.1The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.
SOC2P3.1Personal information is collected consistent with the entity’s objectives related to privacy.
SOC2P3.2For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy.
SOC2P4.1The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy.
SOC2P4.2The entity retains personal information consistent with the entity’s objectives related to privacy.
SOC2P4.2The entity retains personal information consistent with the entity’s objectives related to privacy.
SOC2P5.1The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy.
SOC2P5.2The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy.
SOC2P6.1The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy.
SOC2P6.4The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.
SOC2P8.1The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.
SOC2P8.1The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.