Privacy and Security Practices Schedule

Privacy and Security Practices Schedule

The following terms outline the privacy and security practices that support Think Research’s privacy and security policies. Think Research reserves the right to modify and/or update these terms from time to time.

The terms “agent”, “collect”, “disclose”, “de-identify” “health information custodian”, “personal health information”, “use”, “health care”, “individual”, “information practices” and “record” shall have the respective meanings ascribed thereto by PHIPA.

“Applicable Privacy Laws”  means  Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and substantially similar provincial legislation, provincial health information legislation and the directives in Canada, U.S. Health Insurance Portability and Accountability Act of 1996 and codified at 45 C.F.R. Parts 160 & 164, (“HIPAA”), European Union’s General Data Protection Regulation 2016/679 (“GDPR”) as it relates to the processing of personal data of citizens of the European Union, as the same may be amended, reenacted, consolidated and/or replaced, from time to time, and any successor to any of the foregoing.

“Authorized User” means any employee, agent or Representative of Customer who accesses or uses the Services.

“Business Day” means Monday to Friday from 9:00 a.m. to 5:00 p.m. exclusive of statutory holidays in Ontario.

“ESP” means a person who supplies services for the purpose of enabling a Customer to use electronic means to collect, use, modify, disclose, retain or dispose of PHI, and to the extent that the services are provided to a Customer that is a HIC, who is not an Agent of the Customer.

“GDPR” means the European Union’s General Data Protection Regulation 2016/679 as it relates to the processing of personal data of citizens of the European Union.

“HIA” means the Health Information Protection Act, 2000 (Alberta) and the regulations made under HIA

“HIC” has the same meaning as “Health Information Custodian” in PHIPA.

“HINP” has the same meaning as “health information network provider” in the regulations made under PHIPA.

“Patients” means the individuals to whom Customer provides health care.

“PHI” means information that is defined as “personal health information” in PHIPA that is processed, transferred and/or stored by means of the Services.

“PHIPA” means the Personal Health Information Protection Act, 2004 (Ontario) and the regulations made under PHIPA.

“Representative(s)” means an individual or individuals with adequate authority and appropriate qualifications, skills and competence, designated by a Party, to manage matters relating to the Services, on behalf of the Party.

“Third Party Providers” means vendors that provide and/or license hardware, software and services to Think Research to support the provision of Services. 

    1. Privacy and Security. Think Research and Customer have designated a person responsible for the protection of PHI and for coordinating and overseeing timely compliance with these requirements (“Privacy Representative”). Either Party may at any time change its designated Privacy Representative upon written notice in accordance with the terms of this Schedule.  The Parties will comply with the privacy and information security provisions herein.
    2. Roles of the Parties. Customer may be a HIC or a recipient of PHI from a HIC, required to manage PHI in compliance with PHIPA or not a HIC. Notwithstanding whether Customer is a HIC, Customer will comply with the provisions of PHIPA applicable to HICs. In regard to the Services and regardless of whether Customer is a HIC, Think Research and/or its Third Party Providers will be:
      1. an ESP where the Services enable Customer to use electronic means to collect, use and disclose PHI (“ESP Services”);
      2. a HINP where the Services enable Customer and one or more other Customers to disclose PHI to one another (“HINP Services”); and
      3. an Agent on behalf of the Customer where it collects, uses or discloses PHI to: undertake activities requiring the collection, use or disclosure of PHI on behalf of Customer  including auditing and managing actual or suspected contraventions of PHIPA, if any (collectively, “Privacy  Operations”).
    3. The role of Customer and of Think Research under PHIPA may change depending on the Service or product being provided.Think Research Obligations as ESP or HINP. Regardless of whether it is providing ESP Services or HINP Services, or is acting as an Agent, Think Research will:
      1. not use any PHI to which it has access in the course of providing specific Services except as necessary in the course of providing those Services or directed by Customer where Think Research is acting as an Agent;
      2. not disclose any PHI to which it has access in the course of providing ESP Services or HINP Services;
      3. not permit Think Research Personnel to be able to have access to PHI, or collect, use or disclose the PHI, unless Think Research Personnel agrees to comply with the restrictions that apply to Think Research under this Schedule, and such access is necessary to fulfill Think Research’s obligations under this Schedule ; and
      4. implement administrative, technical and physical safeguards, practices and procedures to protect the privacy of the individuals whose PHI it uses to provide the Services.
    4. Think Research Obligations as HINP. When providing HINP Services, Think Research will:
      1. upon becoming aware of, notify the Customer at the first reasonable opportunity, if Think Research Personnel accessed, used, disclosed or disposed of PHI other than in accordance with this Schedule or an unauthorized person accessed PHI;
      2. provide Customer with a plain language description of the HINP Services that is appropriate for sharing with Patients, including a general description of the safeguards in place to protect against unauthorized use and disclosure, and to protect the integrity of PHI;
        1. make available to the public, the description referred to in paragraph (b) above;
        2. any Think Research guidelines/or and policies that apply to the HINP Services to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information, and
        3. a general description of the safeguards implemented by Think Research in relation to the security and confidentiality of PHI;
      3. to the extent reasonably practical, and in a manner that is reasonably practical, keep and make available to a Customer on its request, an electronic record of,
        1. accesses to PHI associated with the Customer being held in the Services controlled by Think Research, which record shall identify the person(s) who accessed the PHI and the date and time of the access, and
        2. transfers of PHI associated with the Customer by means of the Services controlled by Think Research, which record shall identify the person who transferred the PHI and the person or address to whom it was sent, and the date and time it was sent;
      4. perform, and provide to Customer a written summary copy of the results of, an assessment of the HINP Services, with respect to, threats, vulnerabilities and risks to the security and integrity of PHI, and how the HINP Services may affect the privacy of the individuals to whom PHI being disclosed through the HINP Services relates;
      5. ensure that any subcontractor or Third Party Provider it retains to provide the HINP Services agrees to comply with the restrictions and conditions that are necessary to enable Think Research to comply with this Section 4; and
      6. comply with the applicable provisions of PHIPA and the regulations made under PHIPA.
    5. Think Research Obligations as Agent. Think Research, as Customer’s Agent, may: use, disclose or de-identify PHI as required for privacy operations.
    6. Disclaimer.   The use of the Services is at the sole risk of Customer. Customer is required to apply the same scrutiny to PHI as Customer would to PHI received in another format or through other means, including paper records.  Think Research is not responsible or liable for:
      • the privacy practices of a Customer or Customer’s compliance with its privacy and security related obligations, including Customer compliance with PHIPA and other applicable privacy laws in the course of collecting, using and disclosing PHI by means of the Services; or
      • any health services related decisions, including without limitation any clinical decisions, made on the basis of PHI. 
    7. Think Research Collection and Use of Customer Information. Think Research and its Third Party Providers may collect information about Representatives and/or Authorized Users (“Customer Information”), including their name, phone number, regulatory body identifier including a health profession college member number, and email address for the purpose of creating customer profiles, conducting surveys, evaluation of Services, remuneration and invoicing, as well as validating the identity of Representatives and/or Authorized Users and other purposes necessary to fulfill Think Research’s and Third Party Provider’s business obligations. 
    8. Safeguards. Think Research and its Third Party Providers utilize safeguards to protect PHI that include the following:
      1. privacy and security policies, standards, and procedures designed to protect PHI within its environments;
      2. a privacy representative has been designated who is accountable for Think Research’s privacy program and a security representative designated who is accountable for Think Research’s security program;
      3. Think Research Personnel sign confidentiality agreements and are required to complete mandatory privacy and security training, abide by Think Research privacy and information security policies and commit to complying with the policies as a condition of employment or engagement;
      4. If access to PHI is required in the course of providing a Think Research Service, Think Research Personnel are required to adhere to Think Research policies and are prohibited from using or disclosing such information for any purpose other than the provision of the Services;
      5. maintaining audit logs of user and system administrator activities, audits and monitors the logs;
      6. maintaining a record of security privileges of individuals having access to its systems;
      7. Think Research Personnel each have unique identifiers/log-ins;
      8. requiring the use of strong passwords to access its systems hosting PHI;
      9. all sensitive data held by Think Research is encrypted using AES encryption at rest;
      10. administrative access to Think Research systems is provided on a need to know basis and controlled;
      11. takes reasonable measures to ensure that only authorized individuals have access to physical locations and assets critical to the organization, such as corporate facilities, computing equipment and data centres; and
      12. environmental controls further address risks to the physical locations and safety of employees, such as fire, water, electrical surges, power outages, corporate espionage, and other dangers.
    9. Customer Obligations. Without limiting any obligations of Customer, in connection with the Services, Customer will:
      1. obtain and maintain any required consent or give any required notice to individuals whose PHI is managed through the Services;
      2. use reasonable efforts to ensure that PHI in is accurate, complete and up-to-date or set out any limitations on the accuracy, completeness and currency of the PHI; 
      3. be responsible for the acts and omissions of their Authorized User(s) and Representative(s) in connection with the Services;
      4. only request that a person be designated an Authorized User if and for so long as the Authorized User requires the use of the Services for the purpose of providing or supporting the delivery of health care to Patients;
      5. to the extent that any third party retained by the Customer has functions related to the Services, including access to PHI, the Customer will ensure that the third party agrees in writing to comply with these obligations;
      6. accept and enforce any Think Research decision to suspend or terminate an Authorized User’s access to and use of the Services in accordance with the terms of the agreement signed;
      7. ensure that before using the Services, its Representative(s) and Authorized User(s) have successfully completed  their organization’s privacy or security training program;
      8. obtain any consent required for the collection and use of Customer Information by Think Research and its Third Party Providers for the purpose of maintaining, supporting and evaluating the use of the Services;
      9. protect and keep confidential, and require their Authorized User(s) to protect and keep confidential, all passwords and other access credentials used in connection with the Services, including without limiting the generality of the preceding, never including such credentials in an email;
      10. promptly contact Think Research’s Privacy Officer at privacy@thinkresearch.com and ensure that the Customer’s Privacy Representative is also notified upon first learning of the possibility of unauthorized access, collection, use, disclosure, modification or destruction of any PHI related to the Services;
      11. provide and maintain at its own cost and expense any software, hardware or services needed to use the Services;
      12. not use the Services for any purpose or in any manner that is unlawful, or that interferes with or disrupts the integrity or performance of the Services, and without limiting the preceding, not use the Services to upload, transmit, or distribute any virus, worm, Trojan Horse, or other code or routine that has properties that may damage, harm, interfere with, or otherwise adversely affect the Services;
      13. not attempt or permit, assist or encourage any other person to reverse engineer the Services or alter, decompile circumvent, tamper with, destroy, conceal, or remove any notices, codes, information, security or control measures in relation to the Services;
      14. only use the Services to provide health care to Patients and in compliance with all applicable laws and standards, including without limitation PHIPA; and
      15. update its information (physical address, phone number, fax number and email address) as soon as the information changes by contacting the Think Research by email at privacy@thinkresearch.com or in writing to: Think Research Corporation 199 Bay Street #4000, Toronto, ON M5L 1A9.

For purposes of clarity, the following terms shall have the following reciprocal or similar meaning within the specified jurisdictions:

PHIPA 

(Ontario)

HIA 

(Alberta)

HIPAA 

(United States)

GDPR 

(European Union)

Health Information Custodian

Custodian

Covered Entity

Controller

Agent

Affiliate

Business Associate

Processor

Health Information Network Provider

Information Manager

Business Associate

Processor

Electronic Service Provider

Information Manager

Business Associate

Processor

Contacts

199 Bay Street #4000, Toronto,
ON M5L 1A9

(416) 977-1955

(877) 302-1861

VirtualCare
(800) 559-3041

About Us

Company Overview

Leadership

News

Events

Blog

Careers

Companies

BioPharma Services

Pharmapod

MDBriefCase

Oncology Education

Clinic 360

Products

eForms

eReferrals

LTC Clinical Support Tools

Order Sets

Virtual Care

Digital Front Door

Investors

Investor Relations

Media

Corporate Governance

Financials

Support

Help Centre

TxConnect Login

VirtualCare Login

Region

Canada

United States

Middle East

UK/EU

© 2024 All Rights Reserved Think Research Corporation
Accessibility | Privacy Policy