This addendum is applicable to Healthcare Practitioners using Physitrack from Canada.
Physitrack, and all of its employees, contractors and representatives, will take all reasonable precautions with the storage and handling of any patient information, and will comply with the obligations of the British Columbia Personal Information Protection Act (”PIPA”). As part of these duties Physitrack shall:
- Only collect, use, access, and retain the information provided to it as identified in the subscription agreement between Physitrack and Customers. (the Healthcare Providers)
- Allow a Customer access to its information when asked for it, and never deny access because of a disputed payment for services.
- Report any privacy breach or security incident to Customers within two business days.
- Return or destroy personal information to the Customer when the subscription agreement ends.
- Physitrack agrees that all patient information will be stored on servers located in Canada only.
- Physitrack, as a normal policy, conducts systems and data security audits performed by independent third-party companies, at least once per year.
- Access to Patient Information - Physitrack works to ensure that Access to patient information by Physitrack is appropriately limited, and that all such information is protected with best-in-class security measures.
- Rights to personal Information -
Physitrack limits access to private patient information only to those individuals with the rights and strict necessity to view it.
At the server and developer level, secure keys and passwords are issued to any individual authorised to access Physitrack's data and application only insofar as the individual is actively involved with development of Physitrack.
Physitrack's sales and support employees and contractors have no access to individual patient outcome data other than PhysiApp access codes, and will strictly use this data for support requests initiated either by the patient or the practitioner.
- Encryption - All data stored which can reasonably expected to be contain sensitive information is encrypted at-rest, and in transit.
- In the Event of Data Breach in the event of a personal information breach or security incident, Physitrack shall:
1) Immediately research which (sub)systems have been affected by a possible security breach;
2) If Physitrack suspects that sensitive practitioner data has been compromised, Physitrack will invalidate practitioner passwords, forcing practitioners to choose a new password upon logging in from a unique email link.
3) Send an emailing to all (affected) practitioners and subscribers detailing the nature of the data breach, steps which have been taken to mitigate the data breach, and measures which have been taken to prevent a future reoccurrence of this data breach.
4) Make available a 12-hour response window via email to firstname.lastname@example.org
5) Hire an external, ISO-accredited security research company to audit Physitrack's system to confirm that the measures taken are sufficient.
- System Outage - Physitrack hosts its applications in world-class data centers. Further, Physitrack uses various monitoring systems to monitor application status and performance.
In the event of scheduled, non-emergency outage of more than 20 minutes during business hours , this will be announced either via email or inside the Physitrack application.
In the event of unschedule outage, a Physitrack systems developer will be notified and investigate the matter as soon as is reasonably possible.
Last updated 27 May 2016