Schedule A to Test Kit Personal Information Processing Agreement
Plain Language Description of ImageMover’s
Health Information Network Provider (HINP) Service
Last Updated August 26, 2022
Ontario’s Personal Health Information and Protection Act, 2004 (“PHIPA”) defines a Health Information Network Provider (“HINP”) as a person or organization that provides services to two or more health information custodians primarily to enable the custodians to use electronic means to disclose personal health information (“PHI”) to one another.
As part of ImageMover’s software processing service (the “Service”), ImageMover may act as a HINP by facilitating the electronic transmission of PHI (i.e., test results) between two or more customers who are health information custodians.
This plain language description of ImageMover’s HINP services and security safeguards is made available to our customers to share with their test subjects and is made available to the general public via www.imagemovermd.com.
HINP Services
In general, with regard to the systems it maintains as an HINP or electronic service provider, other than as may be permitted or required by law, ImageMover does not:
Use any PHI to which it has access in the course of providing our Service to our customers, except as necessary in the course of providing our Service.
Disclose any PHI to which we have access in the course of providing our Service except as requested by our customers.
Permit our employees or any person acting on our behalf to be able to have access to PHI, unless the employee or person acting on our behalf agrees to comply with the restrictions that apply to ImageMover.
In providing the HINP services, ImageMover provides the following information systems, information management and information technology services to protect PHI to one another (“HINP Services”):
Assesses the threats, risks and impacts associated with the shared system and work to safeguard PHI and meet our obligations related to privacy and security.
Identify and manage privacy and security incidences as they pertain to the use of PHI between our customers, including notification of any breach or security risk.
Implement retention and disposal policies specific to PHI.
Implement logging, auditing, and monitoring controls and communicate these controls to all authorized users.
Provide customers with information related to the access and transfer of PHI.
Provide information about ImageMover’s role with respect to privacy practices and the safeguards in place to the public and our customers for sharing with their test subjects.
Security Safeguards
In providing the HINP Services described above, ImageMover complies with relevant industry standards and uses a variety of administrative, physical and technical safeguards to protect PHI. These include:
Secure Hosting: The Service is hosted in a secure environment with effective security safeguards in place that are in compliance with industry best practices.
Authorization: Users’ identities are verified before they are granted access to the Service. Users’ access to the Service must be authorized by customers in accordance with agreements with our customers.
Authentication: All users are authenticated through an enhanced authentication mechanism prior to accessing the Service.
Data Security: Data cannot be changed or modified by any users unless they have received prior authorization. Data retention and disposal policies and procedures are in place to ensure the availability and confidentiality of data.
Security Assessment: ImageMover conducts audits, Privacy Impact Assessments and Threat Risk Assessments on our Service to identify improvements and mitigate risks.
Privacy: ImageMover and each customer that uses our HINP Service must adhere to PHIPA and its regulations regarding the collection, use and disclosure of PHI.
ImageMover has put in place policies to make sure that its employees, contractors and other agents understand their obligations with respect to the protection of PHI.