Information Security Policy
Definitions Used In This Policy
- The reasons for seeing a health professional;
- Tests and procedures undertaken, the results of such tests and procedures, clinical findings and diagnoses;
- The options for care and treatment suggested by a or various health professionals; decisions made about care and treatment;
- Details of action health professionals have taken and their outcomes.
Data Protection Principles
- Personal data should be processed fairly and lawfully;
- Personal data should be obtained only for specified and lawful purposes and should not be used for other purposes;
- Personal data should not be excessive in relation to the purpose for which it is processed;
- Personal data should be accurate and where necessary kept up to date;
- Personal data should not be kept longer than is necessary for the purpose for which it is processed;
- Personal data should be processed in accordance with the rights of patients under the Privacy Regulations;
- Appropriate technical and methods should be taken against processing and accidental loss or destruction; and
- Personal data should not be transferred outside of the Country/Region except where specific criteria are met.
Personal Data Held By Medix
Purposes For Which Personal Data May Be Acquired and Held
Disclosure Of Personal Data
Medix is committed to maintaining the confidentiality of all Patients’ personal data and medical information and shall not disclose any personal and medical information relating to a Patient to third parties except as follows:
- To doctors and other members of the Medix team providing the Medix Services, (provided that such disclosure is only for the purpose of enabling them to provide the Medix Services and the recipients are bound by an obligation of confidentiality);
- To specialist doctors, who may be situated in any part of the world, to assist in providing the Medix Services, provided that such disclosure is only for the purpose of enabling them to provide the Medix Services;
- To third-party health care providers if Medix wishes to retrieve medical information from them which is necessary for the provision of the Medix Services;
- To the insurance company with whom the Patient (or family member) has the policy of insurance under which the Medix Service is provided (provided that such disclosure is only for the purpose updating member medical history and quality control).
- Where disclosure is expressly requested or permitted by the Patient; or
- Where disclosure is required by law or regulations, by any court or any relevant regulatory body.
Storage Of Data
Subject Access Requests
Patients have a right at any time to request in writing access to a copy of any personal data which Medix holds about them only when adequate proof of identity is being provided. If after accessing such information a Patient believes any of the personal data which Medix holds is incorrect, the Patient can ask to have the inaccurate data amended.
All access requests are forwarded to the Data Protection Compliance Manager.
Retention/Destruction Of Personal Data
Medix aims only to retain personal data for as long as is necessary for the purposes for which it was obtained and therefore to return, destroy or erase from Medix’ systems personal data when it is no longer required.
All personal data relating to a Patient held by Medix shall be returned to the Patient or destroyed after a period of minimum 10 years from the date on which Medix stops providing the Medix Services to that Patient.
Destruction of data shall be carried out securely and in an appropriate manner.
Monitoring And Review Of The Policy
This policy is reviewed on an annual basis by Medix board of directors. Recommendations for any amendments are reported to the President, the Global Medical Director, and the Data Protection Compliance Manager. All amendments are reviewed and audited by Medix legal counsellors.
Medix will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.
Queries regarding confidentiality and medical information security can be sent to: firstname.lastname@example.org