NexJ Connected Wellness Privacy Notice

(last updated: June 2018)

What’s changing?

We’re adding more detail about how and why we use the information and data we collect about you, how we process it, how we share it, and your right with that data.

Why are we making these changes?

There are some new European privacy rules that will apply across Europe. We’re using this opportunity to make sure we’re clear on how we use your information regardless of where you live.

Does this affect the way I use the NexJ Connected Wellness Platform?

Not at all. Your NexJ Connected Wellness Platform experience will stay the same.

What if I don’t agree with the changes?

If you don’t agree with the changes, you can close your account. Or, if you have specific questions about the changes, please contact dataprotection@nexjhealth.com so we can answer any questions you have.

1. Introduction

NexJ Health is committed to protecting your privacy. This privacy notice applies to the data collected by NexJ Health through NexJ Connected Wellness. It does not apply to data collected by NexJ Health through other online or offline NexJ Health sites, products or services.

NexJ Connected Wellness is a personal health platform that lets you gather, edit, add to, store, and share health information online. With NexJ Connected Wellness, you can control your own health records. You can also share your health information with family, friends, health care professionals, mobile phone applications, health related devices, and online tools.

You can choose to share information with separate applications that can connect with or run on NexJ Connected Wellness (“Applications”) to use, edit and add to your health record. Applications can help you manage your information and find relevant health information.

You can choose to share specific information (or all information) with:

Please read the NexJ Connected Wellness – End User Terms of Use.

2. Collection of your personal information

NexJ Connected Wellness asks you to enter an identifier and password to sign in. The first time you sign in to NexJ Connected Wellness you may be asked to provide personal information such as name, date of birth, email, and residential address. Depending on which features you use, you may be asked for additional information for that feature (such as the name of your health care provider or insurance information).

NexJ Health may use the email address you provide to send you an email requesting that you validate your email address, to include in sharing invitations you send through NexJ Connected Wellness and to send you NexJ Connected Wellness notifications, such as email notification that information or messages are available to you on NexJ Connected Wellness. As described in their privacy statements, Applications you authorize may also use your email address.

NexJ Connected Wellness allows you to manage one or more health records, such as the ones you create for yourself and your family members. Generally, you choose what information to put in your records. Depending on the Applications that you use on NexJ Connected Wellness you may be asked to consent to the release of a copy of medical records or information from a health care organization or provider. When you consent to the release of a copy of medical records or information to NexJ Connected Wellness, the health care organization or provider remains the custodian of the original records and you are responsible for managing the copy released to NexJ Connected Wellness. Examples of the types of information you can store in your health record on NexJ Connected Wellness include:

You can use Applications to enter a wide range of health information into your health record. You can give Applications permission to view, add, modify, and/or delete information in a record. Some Applications store their own copy of the information they access. If an Application has its own privacy statement, NexJ Connected Wellness will provide you a link to such privacy statement at the time you are authorized to access the Application. Please read the Application’s privacy statement for information such as where and how the Application may use, store and transfer your information; what additional information it may collect; how you can review, edit and delete the information it holds and other choices you may have.

You can also store files, and can add or edit some information directly when logged into NexJ Connected Wellness.

By default, you are the custodian of any records you create on NexJ Connected Wellness. You may invite additional people to be custodians. Some of the information you store in the records you manage may be highly sensitive, so you need to consider carefully with whom you choose to share the information.

3. Sharing your Personal Health Information

A key value of NexJ Connected Wellness is the ability to share your health information with people and services who can help you meet your health-related goals. For example, you can share health information from records you control:

You can share information in a health record you are custodian of with another person by sending a sharing invitation via email through NexJ Connected Wellness. If the person accepts your sharing invitation and has or creates a NexJ Connected Wellness account, you have given him or her access to that information. You can add or remove people from sharing your account.

You can also share personal information and health information with Applications. You decide which Applications you want to use. You may need to agree to additional terms of use, an additional privacy statement and new financial terms before using a new Application. You can revoke an Application’s access to your data at any time. The access you grant to an Application through NexJ Connected Wellness is active until you revoke it.

4. Accuracy of your Personal Information

NexJ Health works hard to ensure that the information within NexJ Connected Wellness is accurate. Nevertheless, participants should be vigilant of the accuracy of their own data. The method for updating information depends on the information source.

Personal health information within NexJ Connected Wellness is entered via one of:

In the case of self-entered information, the Participant can correct the information themselves.

In the case of information entered by the Health Care Provider or a system integrated to NexJ Connected Wellness, the Participant must make the change request through the originating Health Care Provider or their Organization. Contacting the information source is necessary because NexJ Connected Wellness does not modify or provide edit capabilities for information received from other systems.

5. Processing of Personal Information

The legal basis for the collection and processing of any person information or data is to meet NexJ Health’s contractual obligations to you, service providers and employees. NexJ Health uses personal information collected through NexJ Connected Wellness, including health information, to provide NexJ Connected Wellness services, as described in this privacy notice and the end user terms of use and in the terms of use and privacy statements of NexJ Connected Wellness Applications that you use.

In support of these uses NexJ Health may use and process personal information and data for the following purposes:

NexJ Health occasionally hires other companies and contractors to provide limited services on our behalf, such as security audits for example. NexJ Health gives those companies and contractors access only to the personal information they need to provide the services. NexJ Health requires these companies and contractors to maintain the confidentiality of the information and prohibit them from using the information for any other purpose. These companies and contractors are also required to follow our policies and procedures related to the treatment of personal information and health information.

NexJ Health may access and/or disclose your personal information if NexJ Health believes such action is necessary to: (a) comply with the law or legal process served on NexJ Health; (b) protect and defend the rights or property of NexJ Health (including the enforcement of our agreements); or (c) act in urgent circumstances to protect the personal safety and welfare of NexJ Connected Wellness users or members of the public.

5.1 Data Subject Rights

At any point while NexJ Health is in possession of or is processing your persona data or information, all Data Subjects have the following rights:

Furthermore, you can request the following information:

To access personal data held, identification will be required

NexJ Health will accept the following forms of identification when information on your personal data is requested. A copy of your driver’s license, passport, birth certificate and utility bill, bank statement, or credit card statement not older than three months old. A minimum of one piece of photographic identification listed above and a supporting document is required. If NexJ Health is dissatisfied with the quality, further information may be sought before personal data can be released.

All requests should be made to dataprotection@nexjhealth.com with subject: Data Access Request.

Complaints

If you wish to make a complaint about how your personal data is being processed by NexJ or its partners, you have the right to complain. If you do not get a response within 30 days, you can complain to your local supervisory authority.

6. Aggregated, De-Identified and Anonymized Personal Information

NexJ Health may process aggregated information from NexJ Connected Wellness and Applications to improve the quality of NexJ Connected Wellness and for marketing NexJ Connected Wellness and Applications (e.g. to inform prospective platform sponsors and subscribers about NexJ Connected Wellness use). Aggregated information is not associated with any individual user and no user can be identified from it. De-Identified and Anonymized information may be shared with public health organizations, government, medical researchers and healthcare providers and companies for research and statistical purposes. NexJ Health contracts with these organizations to prevent them from attempting to identify you based on this information. NexJ Health may also use de-identified and anonymized information for research and statistical purposes and to improve the quality of NexJ Connected Wellness.

7. How NexJ Health Safeguards your Confidential Information

NexJ Connected Wellness is a secure cloud-based platform accessible from a desktop browser or mobile device. All applications access the NexJ Connected Wellness cloud through an Application Programming Interface (API) and pass through a perimeter security gateway to ensure that only authenticated users can access the system. The security gateway also protects against malicious attacks, viruses and malware.

If a NexJ Connected Wellness user (e.g. participant) has a relationship with another NexJ Connected Wellness user, as may be the case between a patient and a healthcare professional, and if those users intend to communicate data from their own clinical systems (for example, another EMR, or EHR, external to NexJ Connected Wellness), then NexJ Connected Wellness may exchange data with those external systems. Such communication is performed over a secure connection.

7.1 Who Can Access Your Personal Health Information?

Only individuals that have been given explicit access by the participant (i.e. patient) can view the participant’s personal health information. This is based on the participant’s defined Circle of Care – anyone the participant chooses to invite to support and participate in their own health and wellness, such as healthcare providers, family, friends, and advocates.

Providers can invite participants to join the platform. Providers can only access health information from participants they have invited to the platform, or from those participants that have added that provider to their Circle of Care.

NexJ Connected Wellness has been designed from the ground-up to protect Personal Health Information (PHI) to the utmost degree. Our NexJ Health operational and support processes are designed with protection of PHI in mind as well.

The following safeguards are in place:

7.2 Cryptography

NexJ Health takes effective measures to ensure that your confidential information stays confidential on the Internet. NexJ Health uses strong encryption to conceal your information from those whom you have not authorized to access it. All web sessions for NexJ Connected Wellness are encrypted. Communications between NexJ Health and its partners’ Internet gateways (for example between NexJ Health and a partnering hospital) use digital certificates to confirm the identities of the communicating servers. Encrypted Virtual Private Networks (VPNs) are often used to provide an additional layer of confidentiality assurance.

7.3 Regulatory Compliance

In the jurisdictions where NexJ Connected Wellness is offered, NexJ Health complies with all applicable legal requirements. This includes HIPAA, PHIPA and GDPR.

7.4 Privacy and Security Awareness

No system can promise to be secure under all circumstances. NexJ Health’s commitment is to take commercially reasonable steps to minimize threats to your data security. NexJ Health takes this commitment seriously.

NexJ Health periodically commissions independent Privacy Impact Assessments (PIAs) and Threat Risk Assessments (TRAs) of NexJ Connected Wellness. The results of these assessments are updated regularly, and help us to plan protections against any new threats to your information that may develop. These Assessments are an assurance to you, and to our data partners, that your data is safe within our systems. NexJ Health has satisfied all of its data partners of the thoroughness of these Assessments. A summary of these Assessments is available on request.

8. Account Access and Controls

You consent to the creation of an account on NexJ Connected Wellness. The required account information consists of a small amount of information such as your name, email address and region. NexJ Health may request additional information, but NexJ Health clearly indicates that such information is optional. You may also consent to the release of information from a third party (such as a health care organization) to NexJ Connected Wellness. You can review and update your account information. You can modify, add or delete any optional account information by signing into NexJ Connected Wellness or by contacting privacy@nexjhealth.com.

You can close your account at any time by contacting privacy@nexjhealth.com. NexJ Health may wait for a short time period before permanently deleting your account in order to help avoid accidental or malicious removal of your information or to comply with any applicable laws.

When you close your account, all of your information is deleted.

9. Sharing Records with Applications

NexJ Health provides you with information about Applications that run on NexJ Connected Wellness. You should review information about the Applications including their privacy statements and terms of use prior to using them or allowing them to access your health information. If you have any concerns about an Application please contact privacy@nexjhealth.com.

10. Deleting Records including Health Information

Generally, you can delete records and health information using NexJ Connected Wellness. Alternatively, you can contact privacy@nexjhealth.com to delete records or health information. Deleting records and health information is permanent. NexJ Health may wait for a short time period before permanently deleting your records or health information in order to help avoid accidental or malicious removal of your information.

11. Use of Cookies

NexJ Health uses cookies with NexJ Connected Wellness to enable you to sign in and to help personalize your NexJ Connected Wellness experience. A cookie is a small text file that a web page server places on your hard disk. NexJ Health uses industry standard best practices to ensure our use of cookies does not put your personal information at risk. If you have concerns over the use of cookies you can modify your web browser settings to decline some or all cookies. This may result in a less pleasing user experience or require the repetition of certain configuration tasks.

NexJ Health uses Google Analytics. For information on how Google collects and processes data, please visit http://www.google.com/policies/privacy/partners/.

12. Changes to this Privacy Statement

NexJ Health may occasionally update this privacy statement. When NexJ Health does, the “last updated” date at the top of the privacy statement will be revised. For material changes to this privacy statement NexJ Health will notify you of the changes either by email or by notifying you through NexJ Connected Wellness. Your continued use of NexJ Connected Wellness constitutes your agreement to this privacy statement and any updates.

13. Enforcement of this Privacy Statement and Contact Information

If you have any urgent questions related to this Privacy Statement or any urgent privacy or security concerns please contact privacy@nexjhealth.com.

NexJ Health treats all privacy concerns, including complaints or challenges, with the utmost confidentiality.

NexJ Health’s Chief Privacy Officer, Dr. Noah Wayne, is responsible and accountable for this privacy statement and privacy related concerns with respect to NexJ Connected Wellness. He can be reached at the following address:

Dr. Noah Wayne, Chief Privacy Officer

NexJ Health Inc.
10 York Mills Road, Suite 700
Toronto, ON M2P 2G4
CANADA

Tel: +1-416-227-3700
Fax: +1-416-222-8623
Email: privacy@nexjhealth.com

14. Consent

By agreeing to this privacy notice you are consenting to NexJ Health collecting and processing your personal information and data for the purposes outlined. You further consent to the disclosure of personal data and any other privacy practices set out in this privacy notice. NexJ Health expressly reserves the right to change this privacy notice at any time. Please check here regularly to see the latest version of this notice.

You can withdraw consent at any time by emailing dataprotection@nexjhealth.com with subject: Web Privacy or by writing to the Chief Privacy Officer at the contact details above.