Information Security Policy

DATE

18.01.22

Introduction

Medix provides healthcare management services to companies and individuals who seek to receive Medix services. As a result, Medix obtains and stores personal and medical data from its customers, including information about their physical and mental health and condition. Medix recognizes the importance and sensitivity of such personal data and is fully committed to dealing with the information in accordance with Medix’ legal obligations under the EU General Data Protection Regulation (“GDPR”) and all relevant Privacy laws and regulations in each country/region Medix operates (“Privacy Regulations”). As part of Medix commitment to the protection of our customers’ privacy we have achieved and are maintaining ISO 27001 accreditation. Medix is committed to maintain the highest level of security of its infrastructure and implements significant measures and procedures to ensure employee, provider and customer awareness and compliance with the required levels of Security.

Definitions Used In This Policy

“Personal data” is data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession, or likely to come into the possession, of Medix, and includes expressions of opinion about the individual and any indication of the intentions of Medix or any other person in respect of the individual. “Medical information” forms part of personal data and comprises information about an individual’s physical or mental health or condition, including without limitation:
  • The reasons for seeing a health professional;
  • Tests and procedures undertaken, the results of such tests and procedures, clinical findings and diagnoses;
  • The options for care and treatment suggested by a or various health professionals; decisions made about care and treatment;
  • Details of action health professionals have taken and their outcomes.
“Processing” information means obtaining it, holding it, organising it, using it, disclosing it, manipulating it or destroying it.

Data Protection Principles

Medix complies with the following data protection principles in relation to all personal data which it processes in respect of a Patient. The data protection principles are:
  • Personal data should be processed fairly and lawfully;
  • Personal data should be obtained only for specified and lawful purposes and should not be used for other purposes;
  • Personal data should not be excessive in relation to the purpose for which it is processed;
  • Personal data should be accurate and where necessary kept up to date;
  • Personal data should not be kept longer than is necessary for the purpose for which it is processed;
  • Personal data should be processed in accordance with the rights of patients under the Privacy Regulations;
  • Appropriate technical and methods should be taken against processing and accidental loss or destruction; and
  • Personal data should not be transferred outside of the Country/Region except where specific criteria are met.
Medix is fully committed in complying with those principles in processing all personal data relating to Patients. By setting out its policies and procedures for such processing in this and in other related documents so that they are transparent to Patients and by following these policies and procedures, Medix aims to achieve that commitment.

Personal Data Held By Medix

During the course of providing (or considering whether to provide) Medix Services, Medix will acquire personal data, including medical information, regarding Patients. Only such information as is necessary for the purposes of providing (or considering whether to provide) Medix Services to a Patient shall be requested and held.

Purposes For Which Personal Data May Be Acquired and Held

Medix will obtain and hold personal data about Patients only for the purposes of providing (or considering whether to provide) Medix Services to those Patients.

Disclosure Of Personal Data

Medix is committed to maintaining the confidentiality of all Patients’ personal data and medical information and shall not disclose any personal and medical information relating to a Patient to third parties except as follows:

  • To doctors and other members of the Medix team providing the Medix Services, (provided that such disclosure is only for the purpose of enabling them to provide the Medix Services and the recipients are bound by an obligation of confidentiality);
  • To specialist doctors, who may be situated in any part of the world, to assist in providing the Medix Services, provided that such disclosure is only for the purpose of enabling them to provide the Medix Services;
  • To third-party health care providers if Medix wishes to retrieve medical information from them which is necessary for the provision of the Medix Services;
  • To the insurance company with whom the Patient (or family member) has the policy of insurance under which the Medix Service is provided (provided that such disclosure is only for the purpose updating member medical history and quality control).
  • Where disclosure is expressly requested or permitted by the Patient; or
  • Where disclosure is required by law or regulations, by any court or any relevant regulatory body.

Accuracy

Medix seeks to ensure that the personal data held by it is accurate and kept up to date. Accordingly, Patients are advised to inform Medix if they become aware that any personal data held by Medix is out of date or inaccurate.

Storage Of Data

All personal data of Patients held by Medix shall be stored securely and access shall be restricted only to those who are authorised to use it for the purpose of medical case management.

Subject Access Requests

Patients have a right at any time to request in writing access to a copy of any personal data which Medix holds about them only when adequate proof of identity is being provided. If after accessing such information a Patient believes any of the personal data which Medix holds is incorrect, the Patient can ask to have the inaccurate data amended.

All access requests are forwarded to the Data Protection Compliance Manager.

Retention/Destruction Of Personal Data

Medix aims only to retain personal data for as long as is necessary for the purposes for which it was obtained and therefore to return, destroy or erase from Medix’ systems personal data when it is no longer required.

All personal data relating to a Patient held by Medix shall be returned to the Patient or destroyed after a period of minimum 10 years from the date on which Medix stops providing the Medix Services to that Patient.

Destruction of data shall be carried out securely and in an appropriate manner.

Monitoring And Review Of The Policy

This policy is reviewed on an annual basis by Medix board of directors. Recommendations for any amendments are reported to the President, the Global Medical Director, and the Data Protection Compliance Manager. All amendments are reviewed and audited by Medix legal counsellors.

Medix will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.

Queries regarding confidentiality and medical information security can be sent to: info@medix-global.com