HIPAA and U.S. Privacy Policy

Version: 1.0

1. Introduction

The purpose of this HIPAA and U.S. Privacy Policy ("Policy") is to define (and outline) Pandora S9, Inc., and Preventx Limited’s (together, "Preventx") obligations as it relates to compliance with HIPAA (defined below) and other applicable United States ("U.S.") Data Protection Laws (defined below).

Preventx is committed to protecting the privacy, integrity, and security of those who entrust us with their Covered Data (defined below) that the company Processes (as defined below) in all aspects of its business worldwide. This Policy aligns to Preventx’s data protection and information security policy framework (the "Framework"), which includes Preventx’s policies, procedures, and documentation that outline Preventx’s strategy for compliance with data privacy and security requirements.

2. Scope

As an organization, that operates in the United States and provides certain Services (defined below), that may require the collection, use, and disclosure of Covered Data, Preventx has adopted this Policy, as part of its Framework requirements to ensure it adequately protects its Clients and Individuals (both defined below) Covered Data and appropriately complies with applicable U.S. Data Protection Laws. This includes adherence to the following applicable U.S. Data Protection Laws, including but not limited to:

  • The Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act (Title XIII of the American Recovery and Reinvestment Act of 2009), and the regulations issued thereunder, 45 CFR Parts 160, 162 and 164, as amended (collectively, “HIPAA”);
  • California’s Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”);
  • Washington’s My Health My Data Act (“MHMDA"); and
  • Other applicable laws including Colorado Privacy Act (“CPA”), Connecticut Data Privacy Act (“CDPA”), Virginia Consumer Data Protection Act (“VCDP”), Utah Consumer Privacy Act (“UCPA") (all collectively “U.S. Data Protection Laws”).

This Policy applies to all Employees (as defined below), and applicable Suppliers (defined below) who may, during their business relationship with Preventx, Process Covered Data. Furthermore, this Policy applies from the time Covered Data are received and continues through the Processing activity, until the Covered Data are no longer required, returned, or deleted, in accordance with Framework and applicable contractual requirements.

3. Definitions

Definitions
TermDefinition

Authorization

A detailed document where specific PHI uses and disclosures are explained in full.  When signing an Authorization, an Individual (defined below) gives consent to have their health information used or disclosed for the reasons stated in the Authorization.

Business Associate (“BA”)

A person, or entity, that performs Covered Functions (defined below) or activities that involve the use or disclosure of PHI, including ePHI, on behalf of a CE (defined below). 

Business Associate Agreement (“BAA”)

A written arrangement that specifies a CE and BA’s responsibilities related to PHI use and disclosure, including requirements to safeguard PHI, in accordance with the Security Rule (defined below).

Client

Entities that have engaged Preventx for Services under a written agreement, e.g., master services agreement.

Consumer Health Data

As defined under the MHMDA, means any Personal Data (defined below) that are linked or reasonably linkable to an Individual and identifies an Individual’s past, present, or future physical or mental health status, including without limitation: use or purchase of a medication; efforts to obtain health supplies or services; biometric data; geofencing data; and data that identifies an Individual seeking healthcare services, among others.

Covered Data

Means, in any form or format, any information that may directly or indirectly identify an Individual (defined below). This includes, without limitation, Personal Data, Sensitive Personal Data, PHI, Personal Information, Personally Identifiable Information (“PII”), and Consumer Health Data (all terms defined herein) including similar terms under, or otherwise governed, regulated, or protected by applicable U.S. Data Protection Laws.

Covered Entity (“CE”)

A CE is a healthcare provider, health plan, payer, clearing house, or any other entity that Processes health data electronically in support of treatment, payment, or healthcare operations.

Covered Function

Means any function, the performance of which makes the performer a health plan, a healthcare provider, or a healthcare clearinghouse, as defined under HIPAA.

Data Minimization

Means the act of limiting the amount of Covered Data collected, stored, and Processed to what are minimally necessary.

Data Subject Rights Requests (“DSRRs”)

Requests that may be submitted by Individuals when exercising certain privacy rights afforded to them under applicable U.S. Data Protection Laws.

Document Classification Chart (“Chart”)

Means the chart in Appendix A to this Policy, which outlines the classification criteria for how Preventx classifies its data risk categories, data types, associated data examples, best practices in how to safeguard such information, and authorization requirements that may be needed to release applicable data types in accordance with Framework requirements.

Employees

Means a current, or former individual(s), who’s paid a salary (or wages) evidenced through an employment agreement, or W-2 arrangement, to support a Preventx job function, as outlined in an individual’s job description. 

An Employee may also include prospective employees, trainees, temporary workers, contractors, or applicants.

HIV/AIDS Status

An Individual’s human immunodeficiency virus (“HIV”) and acquired immune deficiency syndrome (“AIDS”) positive or negative test result.

Incident

A privacy and security event, or unauthorized disclosure(s) of Covered Data including: any potential breaches of security which may lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data transmitted, stored, or otherwise Processed. This includes without limitation: “Data Breach,” as defined under CCPA/CPRA and a “Breach,” as defined under HIPAA.  For clarification purposes, where applicable U.S. Data Protection Laws are silent on defining an ‘Incident’ (e.g., MHMDA), the definition provided herein will apply.

Individual

The person who is the subject of the Covered Data and includes a person who is a personal representative, i.e., a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to the person’s healthcare or legal rights.

Lawful Basis

A lawful (or legal) basis which allows for Personal Data – or Sensitive Personal Data – Processing.

Opt-in

Means direct marketing, including email messages, SMS, telephone, or other forms of direct electronic communication may only be sent to recipients who have given their prior consent.

Opt-out

Means an Individual who has requested discontinuation of direct marketing, for any reason, and Preventx must comply with such request.

Personal Data

Data that are not PHI, as defined under HIPAA but are information that may directly or indirectly identify an Individual including (without limitation) personal data, personal information, personally identifiable information (“PII”), or Consumer Health Data, as defined under applicable U.S. Data Protection Laws.

It shall also include Personal Data Processed from current, past, and prospective Employees, Service User(s), healthcare providers, Clients, and Suppliers (as defined below) and their respective staff located within the United States. 

As outlined further in the Chart, Personal Data may also be referred to as “Confidential” or “Highly Confidential” depending on which data category (e.g., patient) and data types (e.g., health data, business contact information) are relevant.

Personal Data may include data that are pseudonymized (i.e., masks data by replacing identifying information with artificial identifiers, e.g., patient ID). Personal Data DOES NOT include data that has been anonymized or de-identified, i.e., direct, or indirect personal identifiers have been removed, thus eliminating any ability to re-identify an Individual, Client, or Subprocessor (defined below).

Privacy Rule

A set of national (U.S.) standards for the protection of certain health information. The Privacy Rule addresses the use and disclosure of Individuals’ health information (or PHI) by organizations subject to the Privacy Rule (i.e., CEs), as well as standards for Individuals’ privacy rights to understand and control how their health information is used.

 Process(es)(ed)(ing)

Any operation (or set of operations) which is performed on Covered Data such as: handling; collection; recording; organization structuring; storage; adaptation or alteration; retrieval; consultation; use; disclosure by transmission; dissemination or otherwise making available; alignment or combination; restriction; erasure; or destruction, as defined under applicable U.S. Data Protection Laws.

Protected Health Information (“PHI”)

Means any PII that appears in medical records (as well as conversations) between healthcare staff (such as doctors and nurses) regarding a patient’s treatment. It also includes billing information and any information that could be used to identify an Individual in a company’s health insurance records.   PHI also includes “ePHI” which are electronic protected health information that are created, stored, transmitted, or received in any electronic format or media.

PHI DOES NOT include data that have been anonymized or de-identified, i.e., direct or indirect personal identifiers have been removed, thus eliminating any ability to re-identify an Individual.

Records of Processing Activity(ies) (“ROPAs”)

An internal record that contains the information of required Covered Data Processing activities (carried out by Preventx) for its Services and support of applicable business activities and operations. ROPAs may also be used to support a DSRR.

Regulated Entity

Means any legal entity as defined under the MHMDA that: (a) conducts business in Washington state (U.S.) or produces or provides products or services that are targeted to consumers in Washington; and (b) alone or jointly with others, determines the purpose and means of collecting, Processing, sharing, or selling of Consumer Health Data.

Regulator(s)

Applicable regulatory authorities including (but not limited to) the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), U.S State Attorney Generals, and the Federal Trade Commission (“FTC”) that oversee the enforcement of U.S. Data Protection Laws.

Secretary

Means the Secretary of the HHS, or any other officer (or employee) thereof, to whom the authority involved has been delegated.

Security Rule

National standards that specify a series of administrative, technical, and physical security measures for CEs, and Bas, to use to ensure the confidentiality, integrity, and availability of PHI.

Sensitive Personal Data

Special categories of Personal Data, which include information on an Individual’s biometric characteristics; genetic data; religious or philosophical beliefs; racial or ethnic origin; medical health (including HIV/AIDS Status); sex life or sexual orientation; political opinions; financial accounts, individual location tracking; trade union memberships; and any Personal Data of a minor under the age of 16.

Processing Sensitive Personal Data may require a specific purpose, sufficient necessity, explicit consent, and stricter protective measures as defined under applicable U.S. Data Protection Laws. 

Service(s)

Services contracted under Preventx Client master services agreements, or direct to Individuals, including distribution and diagnostics of sexual health testing kits for at home use.

Service User

An Individual using the Services (i.e., sexual health testing) and to which PHI may be collected or Processed.

Subprocessor

An authorized third-party engaged by Preventx to carry out Processing of Covered Data on its behalf.

 Supplier(s)

​​An external product (e.g., off-the-shelf application, system, or hardware), or service provider, for Preventx, including without limitation: vendors; suppliers; Subprocessors; subcontractors/contractors; consultants; and any other third-party providing a product (or service) to the company.

Training

Required annual training for Employees, and other Suppliers, where applicable, which includes review of applicable compliance training policies and procedures, including without limitation: privacy and security; quality management; and other applicable job-related policies and procedures.

4. Roles & Responsibilities

The following roles and responsibilities are required by this Policy:

Roles & Responsibilities
RoleResponsibilities

Business Operations

Responsible for, in conjunction with DP and IT/Security, fulfilling required DSRRs, where applicable.

Data Privacy (“DP”)

Responsible for creating and administering the Framework (as defined within the Privacy Policy), ensuring processes and controls are operational, performing legal review of applicable privacy and security contractual terms, and ensuring Preventx’s compliance with applicable U.S. Data Protection Laws.

IT/Security

Responsible for designing, developing, implementing, and monitoring controls to safeguard Covered Data and mitigate potential Incidents, and ensure compliance with Framework requirements.  IT/Security are also responsible for collaborating with DP on any Covered Data Incidents (where needed) and with other key stakeholders, where applicable.

Legal

Responsible for assisting with applicable legal, compliance, and regulatory requirements, including collaborating with Data Privacy, IT/Security, QC, and any other stakeholders needed to ensure appropriate Framework implementation and compliance.  Legal is also responsible for overseeing and supporting contract creation and review.

Preventx Executive Team

The executive team is responsible for overseeing and supporting the roles and responsibilities outlined in this Section and Policy.

Quality Compliance (“QC”)

Responsible for overseeing documentation, Training, and as applicable, corrective and preventative actions (“CAPAs”) in relation to privacy and security matters, where required.  QC also aids in Preventx’s relevant aspects of Preventx’s Supplier due diligence, and related processes, to ensure Subprocessor requirements are maintained and audited, and ensure data privacy and security processes and controls are operating as designed and properly implemented.

5. Policy and Guidelines

5.1 Applicability of U.S. Data Protection Laws

Preventx’s compliance with U.S. Data Protection Laws will depend on the Covered Functions and Services it performs, its relationship to applicable Individuals, and the parties that it contracts with under applicable master services agreements. This includes, as follows:

  1. Where Preventx is solely performing laboratory services and is not conducting a HIPAA Covered Function, Preventx does not qualify as a Covered Entity, but will be considered an indirect healthcare provider, which is allowed to exchange PHI, and ePHI, with other Covered Entities, without having to enter into a BAA or obtain an Individual’s consent, so long as such exchange is related to treatment, payment, or healthcare operations.
  2. For additional administrative Services performed by Preventx, contracted with applicable Clients (CE), Preventx shall qualify as a BA when transmitting any PHI, and ePHI, in an electronic form, in connection with a Covered Function. e.g., administrative functions that fall outside laboratory services such as managing a portal/website for Client.
  3. Where onward transfers of applicable PHI, by Preventx, are made in performance of related business activities, operations, or Services, Preventx entities (including its parent company or other U.S. subsidiaries), such entity(ies) may be considered a Subprocessor.  Where such transfers take place, all such entities shall be subject to this Policy, and adhere to the company’s “International Data Sharing, Transfer, and Processing Agreement,” including the applicable BAA therein; or
  4. Where Preventx is otherwise Processing Covered Data, including providing Services direct to Individuals (or consumers) or performing other corporate activities that are not associated with a Covered Function, or under a BAA  Preventx shall ensure its use and disclosure (or Processing) of Covered Data are managed, in accordance with applicable requirements under HIPAA (such as the Security Rule) and other applicable U.S. Data Protection Laws (i.e., CCPA, MHMDA, etc.).

5.2 Privacy Principles

Where Preventx Employees, and Suppliers, Process Covered Data, they must do so, in accordance with Framework obligations, applicable U.S. Data Protection Laws, and the following principles:

  1. Lawful Basis: Preventx shall ensure that where required, Processing of Covered Data are based on a Lawful Basis, which may include consent, to fulfill a contract, a legal obligation, a vital or public interest, other legitimate interest, or other basis, as required under applicable U.S. Data Protection Laws. The Lawful basis shall be captured within Preventx’s Records of Processing Activities, in accordance with Section 5.11 below.

  2. Limitation(s) on Uses or Disclosures: Preventx shall ensure, Covered Data Processed in support of applicable Services, are for specified, explicit, and legitimate purposes and not further Processed in a manner that are incompatible with those purposes; further Processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purpose, in accordance with applicable U.S. Data Protection Law requirements and this Policy.

  3. Sensitive Personal Data: Where Preventx Processes Sensitive Personal Data, it shall ensure such Processing adheres to applicable U.S. Data Protection Laws and individuals are informed about how their Sensitive Personal Data are Processed, in accordance with Section 5.3 below and shall allow Individuals to limit the use of their Sensitive Personal Data, in accordance with Section 5.4. (Individuals Rights) below.

  4. Data Minimization Principle – “Minimum Necessary:” Preventx shall ensure Covered Data Processed by Preventx Employees and Suppliers (where applicable) are Processed only to perform applicable corporate business activities, operations, and Services.  Preventx shall ensure that only the minimum amount of Covered Data is Processed, and such Processing is done in accordance with Framework requirements, this Policy, and applicable requirements under U.S. Data Protection Laws (including HIPAA).

  5. Accuracy Principle: Preventx shall ensure Covered Data that are Processed in support of applicable Services are accurate, complete, kept-up-to-date, and appropriate for use; where not accurate, reasonable steps will be taken to ensure that such Covered Data are erased or rectified (without delay), having regard to the purposes for which they are Processed, in accordance with Individuals’ Rights described in Section 5.4 below.

  6. Storage Limitation: In accordance with Data Minimization requirements and Framework requirements, Covered Data shall only be retained for no longer than what are minimally necessary for the purposes for which they are Processed, and as consented to, or to meet regulatory requirements. For PHI, retention shall be up to six (6) years where required by HIPAA. 

  7. Data Privacy and Security-by-Design. Preventx shall assess its Processing activities to ensure it incorporates data privacy protections into the design of information systems, products, and services to prevent Incidents and protect Individuals’ privacy by proactively incorporating data privacy and security safeguards into company systems/applications and processes.

  8. Data Security Principle: In accordance with Section 5.7 below, Preventx shall ensure Covered Data are Processed in a manner that ensures such data are safeguarded by implementing appropriate administrative, technical, and physical safeguards, as required under the Security Rule, including without limitation: protection against unauthorized or unlawful Processing; and protection against accidental loss, destruction, or damage. Such security controls shall consider: 1) industry standards; 2) the costs of implementation; 3) the nature, scope, context, and Processing purposes; and 4) the risk of varying likelihood and severity for Individuals’ rights and freedoms of natural persons.

  9. Sale of Data. For CCPA purposes, and other applicable U.S. Data Protection Laws, Preventx DOES NOT “sell” Personal Data or PII.  Should the company’s business model change and requires the sale of such data, the company shall ensure no Covered Data, is sold without the appropriate Individual consent and without providing Individuals the ability to Opt-out of such sale.

  10. Accountability Principle: Where required, Preventx shall ensure that it is able to demonstrate compliance with applicable U.S. Data Protection Laws.

  11. Consent. Where consent is the basis for Processing of Covered Data, Preventx shall ensure any required consent under applicable U.S. Data Protection Laws is: 1) freely and explicitly given; 2) specific, informed, and unambiguous; and 3) Individuals are allowed to withdraw consent (as is applicable to the Services), in accordance with Section 5.4 below.

5.3 Organizational Measures

  1. Responsible Parties. This Policy designates Preventx’s Data Privacy office, and IT/Security office (with support from Preventx representatives from Legal, Quality Compliance, and Business Operational teams, as well as external third-party privacy and security experts) as the representatives, as required by HIPAA and applicable U.S. Data Protection Laws, who will serve as Preventx’s privacy and security officers and who are the person(s) responsible for the development and implementation of Preventx’s privacy and security policies and procedures and with whom other Employees should consult when issues arise concerning the use, disclosure, or other matters relating to the privacy of Individuals’ Covered Data and records. 

  2. Compliance Team. Preventx shall ensure it maintains a structured privacy and security  compliance team, which addresses compliance and standards; data privacy and protection; legal and regulatory compliance matters; business continuity and disaster recovery; communications and operations security management; physical security; systems acquisition, development and maintenance; Supplier management; configuration and change management for software systems; incident response planning and management, including appropriate maintenance and monitoring and analysis of audit logs.

  3. Confidentiality. Employees, and as applicable, Suppliers, with access to Covered Data, shall be bound to keep such information confidential and shall comply with Preventx Framework requirements, applicable data privacy and security policies and procedures, and confidentiality agreements as may be applicable.

  4. Contracts. PreventX shall enter into appropriate contractual relationships with Covered Entities, Suppliers, Subprocessors, and other third parties as required to perform the Services, including Business Associate Agreements for Processing of PHI on behalf of Covered Entities and other applicable agreements (such as data processing agreements) for Processing of other Personal Data.

  5. Data Classification. Covered Data shall be classified in accordance with its risk sensitivity level, as identified in the Chart.  The Chart criteria applies to all Covered Data Processed by Preventx and provides guidelines for how such data are to be protected with the appropriate level of organizational and technical measures, as further outlined under Section 5.7 (Data Safeguards) below.

5.4 Privacy Notices and Authorization

  1. As standard, Preventx Clients (as the CEs) shall be required to obtain valid Authorization for the use and disclosure of PHI to Preventx for its Services, and shall ensure its practices align with those Authorizations, in accordance with this Section.

  2. Where required, Preventx shall make available a notice of privacy practices (“Privacy Notice”), consistent with the Privacy Rule, applicable U.S. Data Protection Laws, and in accordance with the Framework requirements.  This Privacy Notice shall be generally available at Preventx’s website at: ____________________________.

  3. Such Privacy Notice(s) shall provide adequate notice of applicable Processing (including uses and disclosures) of PHI (made by Preventx), and include at minimum, the following information:

    1. How Preventx may use and disclose PHI about an Individual;

    2. An Individual’s rights with respect to the information and how the Individual may exercise these rights, including how the Individual may submit a complaint (defined under Section 5.5 of this Policy);

    3. The entity’s legal duties with respect to the information, including a statement that Preventx is required by law to maintain the privacy of PHI; and

    4. To whom Individuals may contact for further information about Preventx’s privacy policies.

  4. Where Services are being provided directly to an Individual, such Privacy Notice(s) shall be provided to Individuals before the start of the Services and require the Individual to agree to the use and disclosures associated with the Services.  Such Privacy Notice(s) shall include additional information, as required under applicable U.S. Data Protection Laws, including:

    1. The categories and specific Personal Data Processed for an Individual;

    2. The categories and sources for the Personal Data collected or Processed;

    3. The business or commercial purpose(s) for collecting the Personal Data;

    4. The categories of third parties with whom Personal Data are shared and what data they received;

    5. Information about the “Sale” of Personal Data, as defined under applicable U.S. Data Protection Laws; and

    6. The Individuals Rights as defined under Section 5.4 of this Policy.

  5. Where Preventx is considered a Regulated Entity under MHMDA, Preventx shall also maintain a “Consumer Health Data Privacy Policy,” as required under the law. This shall include, the information outlined above and the following:

    1. The categories of Consumer Health Data collected;

    2. The categories of sources from which Consumer Health Data are collected;

    3. The purposes for which Consumer Health Data are collected and used;

    4. The categories of Consumer Health Data that are shared;

    5. A list of the categories of third parties (Subprocessors) with which Consumer Health Data are shared;

    6. A list of the specific affiliates with which Consumer Health Data are shared; and

    7. A description of how an Individual can exercise rights of access, deletion, and withdrawal of consent (per Section 5.5).

5.5 Individuals’ Rights

  1. In accordance with applicable U.S. Data Protection Laws and the Privacy Rule, Individuals shall have the right to exercise their rights and submit DSRRs. Such rights, as further specified in this Policy, and under <<GDPR-DOC-05-1 Data Subject Request Procedure>>, shall include, without limitation:

    • The right to access Covered Data or request a copy;

    • The right to rectification, allowing Individuals to amend incomplete or inaccurate Covered Data;

    • The right to delete data or erase their data, subject to certain exceptions;

    • The right to restrict Processing (including the right to limit use of Sensitive Personal Data);

    • The right to data portability or request data are transferred to another party;

    • The right to Opt-out, or object to certain Processing, including marketing/advertising activities;

    • The right to withdraw consent;

    • The right to Opt-out of sale (if applicable);

    • Right to decisions in automated decision-making;

    • Right to lodge a complaint with certain U.S. State Attorney Generals or regulatory bodies;

    • The accounting of disclosures under HIPAA, including:

      • The right to revoke Authorization of Processing PHI;

      • The right to confidential communications of PHI;

      • The right to restrict disclosures of PHI;

      • The right to an accounting of disclosures of PHI; and

    • Any other rights as may be available under U.S. Data Protection Laws.

  2. DSRRs may be submitted in accordance with the methods described under <<GDPR-DOC-05-1 – Data Subject Request Procedure>> by submitting requests in accordance with Privacy Notice(s), by emailing [email protected], or by calling Preventx’s toll-free number +1-855-222-9111.   

  3. Requests shall be fulfilled within one (1) month of receipt or as otherwise required under applicable U.S. Data Protection Laws, including:

    1. California allows up to forty-five (45) calendar days of a verified request and HIPAA allows up to sixty (60) days after receipt of the request; and

    2. Additional time may be requested due to complexity of a request, in accordance with applicable U.S. Data Protection Laws.

  4. Fees. As standard, Preventx does not charge a fee for handling routine DSRR requests. However, Preventx reserves the right to charge reasonable administrative fees if requests are complex in nature or unduly burdensome, subject to applicable U.S. Data Protection Law fee restrictions. For HIPAA requests, i.e., accounting of disclosures, such requests will be free of charge within a single twelve (12) month period.  For multiple requests within a twelve (12) month period, Preventx reserves the right to charge a reasonable, cost-based fee for each subsequent request  (by the same Individual) made within the applicable twelve (12) month period; provided that, the Individual is informed of the fee in advance, and the Individual has an opportunity to withdraw, or modify, their request to avoid or reduce fees.

  5. Preventx shall not retaliate against an Individual for exercising rights provided by the applicable U.S. Data Protection Laws (including the Privacy Rule), for assisting in an investigation by the HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violated Preventx’s privacy practices or applicable U.S. Data Protection Laws.

  6. Receipt of Unauthorized Covered Data If Preventx receives Covered Data that it was not authorized to receive, e.g., PHI that were not part of an Authorization, BAA, or outside of the minimum data required for a particular Processing activity, such matters will be handled, in accordance with the Information Security and Risk Management Procedure,  to ensure appropriate remediation, such as deletion or redaction of such unauthorized Covered Data, where technically feasible and relevant.

5.6 Uses and Disclosures

  1. Preventx shall Process Covered Data in accordance with the principals and protections, as defined within this Policy, Framework requirements, and applicable requirements under U.S. Data Protection Laws.

  2. In accordance with HIPAA, where Preventx is Processing PHI on behalf of a CE, the following shall apply:

    1. As standard, Preventx Clients (i.e., CEs) shall be responsible for getting valid Authorization from Individuals (where required) for the use and disclosure of their PHI in connection with Services, not associated with lab services; and

    2. Preventx shall Process PHI, as permitted under HIPAA, as an indirect provider, or under an applicable BAA tied to administrative functions. This may include the following use and disclosure of PHI:

      1. For CEs, and Preventx, related to treatment, payment, and healthcare operations, consistent with that Covered Entity’s privacy notice to Service Users;

      2. For Preventx’s proper management and administration or to fulfill its legal responsibilities, as long as, in the case of any disclosure for these purposes, either: (a) the disclosure is Required by Law; (b) the disclosure is to the Secretary in connection with compliance reviews and investigations; (c) where necessary to prevent a serious threat to an Individual’s health and safety or the health and safety of the public or another person; however, any such disclosure would only be to someone able to prevent the threat; (d) PHI disclosure is in response to a subpoena; or (e) PHI disclosure is part of law enforcement activities (e.g., investigations of criminal conduct);

      3. To provide data analysis administration services;

      4. To provide data aggregation Services;

      5. Preparing PHI limited data sets if the Covered Entity, or Preventx, enter into a data use agreement with the limited data set recipient;

      6. De-identifying PHI;

      7. PHI utilization review;

      8. PHI quality assurance reviews;

      9. To the patient;

      10. For treatment activities of another healthcare provider;

      11. To a CE, or its BA, for payment activities;

      12. To a CE, or its BA, for certain healthcare operations; provided that, Preventx and the CE each has (or had) a relationship with the patient and the PHI pertains to that relationship;

      13. Under a valid HIPAA Authorization;

      14. To the HHS in connection with compliance reviews and investigations, subject to the requirements of applicable laws; and

      15. Where required, reporting positive HIV/AIDS Status test results to local health authorities, in accordance with applicable U.S. State Laws.

  3. Where Preventx provides Services directly to an Individual, Preventx shall not quality as a CE or BA, but shall provide Notice to Individuals that is consistent with HIPAA and in accordance with Section 5.4 of this Policy. It shall use, and disclose, PHI only for those explicit purposes, or as provided in valid Authorizations, in accordance with applicable U.S. Data Protection Laws.

  4. Where Preventx discloses PHI to an authorized recipient (i.e., a Subprocessor), it shall ensure the recipient of any PHI must provide Preventx reasonable assurances that the PHI will be held confidentially, subject to applicable confidentiality, data privacy and security obligations under a master services agreement (or BAA, where applicable) and used or further disclosed only as permitted, required by law, or for the purpose of the disclosure, in accordance with Section 5.10 (Supplier Management) of this Policy.

  5. Data Aggregation: Prevents, where applicable, in its capacity as a BA, may aggregate PHI with the PHI of other CEs that Preventx possesses, for the purpose of providing data analyses related to the healthcare operations of each of its CEs, so long as such data aggregation practices apply de-identification to any PHI.

  6. De-Identification (or Anonymization): Preventx may de-identify Covered Data, so long as such de-identification practices align to applicable HIPAA standards, or other applicable U.S. Data Protection Laws, ensuring applicable Individual identifiers are removed. Such practices shall be performed in accordance with Framework requirements or as otherwise required under applicable U.S. Data Protection Laws.

  7. Subprocessors: Preventx will share PHI only with authorized Suppliers/Subprocessors who are contractually bound to terms at least as restrictive as Preventx’s Framework obligations, quality procedures, instructions, and written agreements, in accordance with Section 5.10 of this Policy.

5.7 Data Safeguards

  1. Preventx shall implement and maintain data protection and security measures, as required under applicable U.S. Data Protection Laws (including the Security Rule under HIPAA) that include administrative, technical, and physical safeguards designed to ensure the confidentiality, reliability, integrity, and availability of Covered Data and any systems, facilities, or software that are used, accessed, or supported in connection with Services and Processing of Covered Data. Such safeguards shall be in accordance with Framework requirements, as outlined in this Section 5.7.

  2. Administrative Safeguards

    1. Security responsibility. Covered Data Security shall be the responsibility of Preventx’s Data Privacy, IT/Security departments, in accordance with Framework requirements; however, Employees, and Suppliers (where applicable) are expected to support relevant security requirements as part of their job function, as it relates to relevant business activities and operations.

    2. Security Risk Management. Preventx shall ensure there are appropriate organizational structures, policies, and procedures in place to assess systems, applications, and activities that Process Covered Data in Framework requirements. This shall include the requirement to conduct Data Protection Impact Assessments (“DPIA”) where any activity involves Covered Data and is likely to result in a high-risk to the rights and freedoms of Individuals;

    3. Information Security Reviews. Preventx shall review records of information systems activity and audit logs, and access reports on a routine basis, in accordance with Framework requirements to ensure the on-going confidentiality of its systems and Covered Data;

    4. Access Management. Access Preventx’s systems, or applications, used to perform the Services, will be granted, and revoked, in accordance with Framework requirements;

    5. Security Awareness Training. Employees, and relevant Suppliers, will receive mandatory data protection and information security compliance awareness training, covering applicable U.S. Data Protection Laws and other related privacy legislation; however, Suppliers that offer their own data protection and security compliance training (covering applicable U.S. Data Protection Laws) may provide to Preventx evidence of completion of comparable training prior to performing any Services on Preventx’s behalf. 

    6. Log-in Monitoring.  Logging activities are documented, and performed, in accordance with common security standards (e.g., ISO 27001);

    7. Password Management. Passwords allocated will conform to industry standards and align with password management standards; and

    8. Contingency Plan/Data Backup/Disaster Recovery. Business continuity and disaster recovery plans are in place and tested at least annually and comply with applicable U.S. Data Protection Laws and Data Safeguards. Backups of the Preventx’s systems, applications, and software, used to perform the Services, are replicated to a disaster recovery facility, so recovery can take place when there is a disaster. Covered Data, are replicated to a disaster recovery facility, providing a scheduled point in time to backup the data to ensure data integrity.

  3. Physical Security. Where physical locations hold, and Process, Covered Data, as required to perform the Services, Preventx shall ensure:

    1. Location access control procedures are aligned with guidelines detailed in Preventx’s Framework requirements;

    2. Data centers and other locations which house computers and communication systems used to perform the Services have: (a) suitable physical security measures designed to prevent unauthorized persons from gaining access; and (b) suitable environmental controls, in accordance with good industry practices, and can continue in operation despite disruption to the main power supply;

    3. Laboratories shall have secured doors and windows, monitored intruder alarms, registered key cards for entrance, and visitor logs for all third parties; and

    4. Magnetic tape, disk, and documentation holding Covered Data that are no longer required, or replaced, are physically destroyed, in accordance with Framework requirements.

  4. Technical Security

    1. Access Controls. Electronic information systems shall have appropriate controls in accordance with Preventx’s access management policies and Framework requirements, including unique user identification and automated logoff due to inactivity;

    2. Preventx shall ensure all Covered Data will reside within secure data center environments. Covered Data transported using portable media, including: laptops; USB sticks; or removable hard-disks and CD/DVDs, align with data minimization principles under applicable U.S. Data Protection Laws;

    3. The following Data Safeguards are implemented if Covered Data are transported using removable media: (i) Laptops will have whole-disk encryption; (ii) Removable hard-disks will have whole-disk encryption or password protection; (iii) USB sticks will be encrypted or password protected; (iv) CD/DVDs will be encrypted or password protected; and (v) A strong passphrase will be used to encrypt Covered Data, where applicable;

    4. Integrity Controls. Preventx shall implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until disposed of;

    5. Encryption. Preventx Service applications shall be hosted and managed on Microsoft Azure cloud. Where applicable, Covered Data shall be encrypted at-rest, at AES 256 bit (including backups), and Transport Layer Security (“TLS”) 1.2 in transit; and

    6. Audit Trails/Logs. Audit trails to support requirements to assess data integrity and appropriate user access permissions shall align to Framework requirements.

5.8 Regulatory Agency and Authorities

  1. Preventx shall adhere to regulatory requirements, including HIPAA compliance requirements, as prescribed by applicable Regulators, including the HHS or OCR (enforcer of the HIPAA Privacy Rule and Security Rule).

  2. Preventx shall abide by enforcement of relevant U.S. State Attorney Generals and other governmental bodies (including the FTC) that oversee other applicable U.S. Data Protection Laws.

  3. Receiving Complaints. The Data Privacy office, and other applicable stakeholders, e.g., Legal, are responsible for receiving complaints related to Preventx’s applicable U.S. Data Protection Law practices, ensuring the appropriate implementation of Framework requirements, this Policy, and applicable requirements under HIPAA.  If Employees receive any inquiry from the HHS, any U.S. State Attorney General, or other regulator, involving a complaint from an Individual who may have been unsatisfied with Preventx’s privacy practices (including complaints regarding HIPAA), Employees must, without undue delay, immediately forward such inquiry to [email protected].

5.9 Marketing

  1. Preventx will conduct marketing, or prospecting, in accordance with applicable U.S. Data Protection Laws and Framework requirements. This shall include the requirement to have Individuals consent or Opt-in to marketing, where required, and to honor any requests to Opt-out of marketing when requested, as outlined in this Section 5.9.

  2. If Preventx Processes PHI for the purposes of direct marketing, it shall conduct such activities in accordance with the HIPAA Privacy Rule.

  3. For all direct marketing, Preventx must obtain a valid, completed Authorization form prior to using (or disclosing) PHI for purposes that meet the HIPAA definition of marketing. 

  4. For Subprocessors, and other Suppliers, Preventx may engage a marketing firm to conduct permitted marketing activities on Preventx’s behalf. Should the marketing activities require PHI use or disclosure to the marketing firm, Preventx shall ensure a BAA is signed to satisfy applicable HIPAA requirements.

  5. Preventx will not sell, or disclose, PHI to a third-party or help a third-party market its own products or services without a signed Authorization from the Individual.

5.10 Supplier Management

  1. Preventx shall assess Suppliers, in accordance with its Framework requirements and applicable policies and procedures to enable Preventx to appropriately identify, assess, monitor, and manage its Suppliers’ compliance with applicable legal and regulatory requirements (e.g., U.S. Data Protection Laws).

  2. For Suppliers who Process Covered Data, on Preventx’s behalf, known as Subprocessors, Preventx shall ensure such entities are Processing Covered Data, in accordance with applicable U.S. Data Protection Laws requirements, applicable terms under master services agreements, data processing agreements (or equivalent terms) or BAAs (where applicable), containing terms at least as restrictive as Preventx’s Framework obligations, quality procedures, written instructions, and contractual requirements.

  3. Where Subprocessors are supporting Preventx Services, Clients may be notified of such activities, in accordance with applicable contractual requirements.

  4. Subprocessors shall agree to notify Preventx of any instances of which the recipient becomes aware in which the confidentiality and security of PHI has been breached.

  5. For Preventx Services, where Suppliers are used to supplement the Services, Processing shall only occur with a CEs authorization (where relevant), or Individual’s Authorization, in accordance with applicable master service agreement terms, BAAs, and relevant requirements under HIPAA.

  6. Subprocessors shall also be listed within Preventx Privacy Notices, where required, as outlined in Section 5.4 (Privacy Notices and Authorization).

5.11 Records of Processing Activities

  1. Preventx shall complete or provide ROPAs, in accordance with applicable U.S. Data Protection Laws and shall include the following information (where required):

    1. The name and contact details of those responsible for the oversight of its Framework;

    2. The purposes, or Lawful Basis, for the Processing as defined in Privacy Notices, an applicable master services agreement, data processing agreement, BAA, or project documentation;

    3. A description of the Individual categories, and Covered Data categories, as outlined in an applicable informed consent, BAA, or data processing agreement;

    4. The categories of recipients to whom the Personal Data have been (or will be) disclosed (i.e., Suppliers/Subprocessors) including recipients in third-countries or international organizations;

    5. Where applicable, Personal Data transfers to a third-country or an international organization, including the identification of that third-country or international organization;

    6. Where possible, the estimated time limits for erasure of the different Covered Data categories; and

    7. Where possible, a general description of the technical and organizational security measures, as outlined within an applicable master services agreement or data processing agreement.

  2. If ROPAs are not readily available, Preventx shall ensure they are produced by the applicable stakeholders within an appropriate timeframe to meet any regulatory obligations or fulfill requests from an applicable Client or Individuals.

5.12 Incident Response

  1. Incident response, including associated detection, investigation, reporting, notification, and remediation actions are managed, in accordance with Framework requirements and the Information Security and Risk Management Procedure to ensure the company satisfies its applicable data breach management requirements, and associated reporting obligations, under HIPAA and other applicable U.S. Data Protection Laws.

5.13 Training

  1. Preventx shall ensure that its Employees, as part of on-boarding and annually thereafter, complete applicable Training through Preventx’s learning management system, which shall include relevant topics on Framework obligations and HIPAA compliance, cybersecurity, phishing, and other relevant requirements, in accordance with Preventx’s Employee training and documentation requirements. 

5.14 Disciplinary Actions

  1. Preventx shall ensure that appropriate steps are taken to comply with Framework requirements, this Policy, and applicable U.S. Data Protection Laws, including HIPAA for maintaining the confidentiality of Covered Data.  Any violation of Framework requirements, this Policy, or other applicable laws by Employees (or Suppliers, where applicable) shall be grounds for corrective action, up to, and including termination or revocation of an applicable service agreement, and any other legal remedies that may be available.

5.15 Monitoring/Audit

  1. Preventx shall ensure its Framework requirements are periodically reviewed by the Data Privacy office, or IT/Security (or an external auditor), no less than annually, to ensure compliance with applicable HIPAA obligations and where required, other applicable U.S. Data Protection Laws.

APPENDIX A: Document Classification Chart

Document Classification Chart
Name of ClassificationDescriptionImpactExamplesPermitted/Restricted Activities

Public

Public data is unrestricted and meant for public consumption.

Confidentiality is of no particular significance to this information.

Web pages;

Publicity and marketing materials;

Organisational Accreditation information; and

Public contact details.

No specific restrictions

General

Daily work products used and shared throughout the organisation and with relevant clients, suppliers or subcontractors.

The inappropriate disclosure of this information could:

  • cause minor damage to the organisation’s reputation or operations; or
  • cause inconvenience to individuals.

Organisational Policies;

Products;

Client deliverables; and

Meeting minutes.

This information should be freely shared within the organisation.  It should not be made available to anyone outside the organisation without permission or authorisation and should not be assumed to be common knowledge.

Confidential

Data which is crucial to the success of the organisation or which is subject to legal restrictions or is held under a contractual or common law duty of confidentiality.

The inappropriate disclosure of this information could:

  • cause significant damage to the organisation’s reputation or operations.
  • breach statutory restrictions on disclosure of information
  • pose a danger to personal safety or to life.
  • impede the investigation or facilitate the commission of serious crime

Personal and special category data (e.g. names and addresses);

Some meeting minutes;

Commercially confidential information (e.g. contracts, contractual negotiations, etc.);

Financial information;

Security information;

Incident information;

This information must:

  • only be passed on to a third party if explicitly authorised by the Framework;
  • only be provided to roles which require the information as part of their duties, as authorised by the Framework;
  • be stored securely (e.g., by encrypting the file or locking the document away);
  • be securely disposed (by non-recoverable means) when no longer required.

This information may not:

  • be discussed in any area where conversations could be overheard;
  • be transmitted insecurely (e.g., via ftp, standard email, or to a fax machine or printer in a public area).  Appropriate secure methods of transmission should be selected on a case-by-case basis;

Loss of this information should be reported to the Data Privacy and IT/Security for investigation.

Highly Confidential

The most critical data to the organisation which should be shared only with named recipients.

The result of this information becoming available to anyone outside the group specified could have the same effect as ‘Confidential’ information but the list of those who may be made privy to the information is very restricted and should not ordinarily be changed.

Some meeting minutes;

Some financial information;

Some security information;

Some incident information;

Legal advice;

  • This information must only be made available in a controlled environment (e.g., a secure meeting room, security-controlled filing system);
  • Documents containing the information must only be passed temporarily to others in the controlled environment or signed for if copies are to be retained. 
  • Each copy of the information must be uniquely identified by a number and title, and the Information Owner must keep a record of who has which copy.
  • Loss/destruction of a copy must be immediately reported to Data Privacy, IT/Security, and the information asset owner for investigation.