Legal

Last updated: February 17, 2023

If you are a “health information custodian” under the Personal Health Information Protection Act, 2004 (Ontario) and include Personal Information in Your Content, execution of the MedStack Customer Agreement (“Agreement”) will incorporate the terms of this Ontario Data Processing Addendum (“Addendum”) into that Agreement. 

1. Definitions. Terms used but not defined herein have the meanings given to them in the Agreement. For the purposes of this Addendum:

(a) “Personal Health Information” means any information about an identifiable individual which is personal health information as defined by Privacy Law and which is Processed by MedStack in connection with the Services. 

(b) “Personal Information” means any information about an identifiable individual which is personal information as defined by Privacy Law and which is Processed by MedStack in connection with the Agreement. For greater certainty, Personal Information includes Personal Health Information. 

(c) “Personnel” means employees, agents, contractors and volunteers.

(d) “Privacy Law” means the Personal Health Information Protection Act, 2004 (Ontario) and the Personal Information Protection and Electronic Documents Act, 2000 (Canada) and the respective regulations thereunder, as from time to time in force.

(e) “Processing” means the collection, use, or disclosure, including, for greater certainty, any access, retention, modification, copying, storage, safeguarding, permitted de-identification or anonymization, or destruction of Personal Information. “Processed” and “Process” have a corresponding meaning.

(f) “Security Breach” means any actual, reasonably suspected or attempted theft or loss of, unauthorized access to, or unauthorized use, disclosure or disposal of Personal Information.

(g) “Services” means the services provided by MedStack to you under the Agreement.

(h) “Subcontractor” means any contracted MedStack, including any third party and affiliate of MedStack but excluding an employee of MedStack, that Processes Personal Information in connection with MedStack’s provisioning of the Services.

2. Permitted Processing of Personal Information

(a) Compliance with Privacy Law. MedStack shall at all times ensure it Processes Personal Information in compliance with Privacy Law and this Addendum.

(b) Permitted Processing. MedStack shall Process Personal Information only as required to (i) fulfill its obligations under the Agreement; (ii) carry out your documented instructions; or (iii) comply with Privacy Law, and for no other purposes. MedStack shall only use as much Personal Information as is reasonably necessary to fulfill its obligations under the Agreement. 

(c) Custody and Control of Personal Information. The Parties acknowledge and agree that MedStack is no more than the temporary holder of Personal Information and has no more than a limited temporary right to Process the Personal Information on your behalf, to the extent necessary for the provision of the Services. Other than the foregoing, MedStack acquires no right, title or interest in or to any Personal Information under the Agreement. All Personal Information shall be under your effective custody and control at all times, including when MedStack is temporarily Processing Personal Information for the purpose of providing the Services.

3. MedStack Personnel

(a) Access by MedStack Personnel. MedStack shall only grant access to those of its Personnel who have a need to access Personal Information for the purposes of providing the Services. 

(b) Confidentiality Agreement. MedStack shall ensure that those of its Personnel who have access to Personal Information are subject to binding obligations substantially similar to those imposed upon MedStack in this Addendum. 

4. MedStack Subcontractors

(a) Permitted Processing. MedStack shall not allow any Subcontractor to Process Personal Information, including for greater certainty by way of hosting, storing or remotely accessing Personal Information, except as necessary to provide the Services in accordance with the Agreement.

(b) Contractual Agreement. MedStack shall ensure its arrangement with any Subcontractor, in connection with the provision of the Services, is governed by written agreement which offers substantially the same level of protection for Personal Information as required by Privacy Law and this Addendum.  

5. Individual Requests, Inquiries, and Legally Compelled Disclosure 

(a) Individual Requests. If MedStack receives a request from an individual to exercise their rights under Privacy Law, including any applicable right of access or right to amend or correct Personal Information, MedStack shall promptly advise the requestor that it does not control Personal Information and shall direct the requestor to you. MedStack shall reasonably cooperate with and assist you in the management of any such individual request.

(b) Inquiry or Complaint. If MedStack receives notice of a complaint or inquiry involving Personal Information, MedStack shall promptly notify you. MedStack shall reasonably cooperate with and assist you in connection with responding to any complaints or inquiries involving Personal Information or investigations connected therewith.

(c) Legally Compelled Disclosure. If MedStack is required by law to disclose Personal Information, including pursuant to a subpoena or warrant, MedStack shall promptly notify you of such obligation, unless prevented from doing so by law, and you may then, at your own expense, seek a protective order or other appropriate remedy. Any such disclosure shall be limited to such Personal Information as MedStack is strictly required to provide by law.  

6. Safeguards and Security Breaches

(a) Safeguards. MedStack shall employ reasonable administrative, technical and physical safeguards to protect Personal Information against theft, loss and unauthorized Processing, consistent with industry practice. 

(b) Information Policies and Procedures. MedStack represents and warrants that it has established, implemented, and maintains information privacy and security policies and procedures to ensure compliance with Privacy Law, including policies and procedures relating to the collection, use, disclosure, retention and disposal of Personal Information. MedStack shall monitor and enforce compliance with its own information policies and procedures. 

(c) Security Breach. In the event that MedStack becomes aware of a Security Breach, MedStack shall promptly notify you, and in any event no later than 72 hours after becoming aware of the Security Breach. MedStack shall reasonably cooperate with you to enable you to comply with your obligations under Privacy Law. MedStack shall not disclose to any third party the circumstances of the Security Breach without your prior written consent, except as required by law. MedStack shall take all reasonable measures to investigate, contain and mitigate the Security Breach and prevent further Security Breaches.

7. Compliance Audits 

(a) MedStack obtains industry-standard third-party certifications and audits, such as System and Organization Controls (SOC) 2 Type 2 audits. Upon your written request, and subject to the confidentiality obligations set forth in the Agreement, MedStack shall provide you with information regarding our compliance with the obligations set forth in this Addendum in the form of a SOC 2 Type 2 audit report or summary thereof.

8. Retention and Return of Personal Information

(a) MedStack shall not retain or dispose of any Personal Information unless authorized by you or required by Privacy Law. 

(b) In the event of the termination or expiration of the Agreement, MedStack shall cease any and all Processing of Personal Information (except as may be required under the Agreement to permit final retrieval by you) and securely and permanently destroy all Personal Information received or created under the Agreement, and copies thereof, if it is feasible to do so, and as set forth in the applicable termination provisions of the Agreement. If it is not feasible to destroy any portions of the Personal Information upon termination or expiration of the Agreement, we shall extend the protections of this Addendum, without limitation, to such Personal Information and limit any further Processing of the Personal Information to those purposes that make the destruction infeasible for the duration of the retention of the Personal Information. Upon your request, MedStack shall provide you with written attestation that it has complied with this provision.

(c) You are solely responsible for making and retaining copies of Personal Information Processed by us before terminating the Agreement.

9. General

(a) Conflict. This Addendum is deemed part of and integrated in the Agreement, provided that this Addendum prevails over the other parts of the Agreement in case of conflict or inconsistency. 

(b) Survival. All provisions of this Addendum which, by their nature, ought to survive any termination of the Agreement shall survive any such termination for as long as MedStack has custody or control of any Personal Information or as otherwise stated in this Addendum.