(last updated: March 2020)

What’s changing?

We’re adding more detail about how and why we use the information and data we collect about you, how we process it, how we share it, and your right with that data.

Why are we making these changes?

We are adding privacy notice information for privacy rules that apply in your region. We’re using this opportunity to make sure we’re clear on how we use your information regardless of where you live.

Does this affect the way I use the Connected Wellness Platform?

Not at all. Your Connected Wellness Platform experience will stay the same.

What if I don’t agree with the changes?

If you don’t agree with the changes, you can close your account. Or, if you have specific questions about the changes, please contact dataprotection@nexjhealth.com so we can answer any questions you have.

Introduction

NexJ Health is committed to protecting your privacy. This privacy notice applies to the data collected by NexJ Health through NexJ Connected Wellness. It does not apply to data collected by NexJ Health through other online or offline NexJ Health sites, products or services.

NexJ Connected Wellness is a personal health platform that lets you gather, edit, add to, store, and share health information online. With NexJ Connected Wellness, you can control your own health records. You can also share your health information with family, friends, health care professionals, mobile phone applications, health related devices, and online tools.

You can choose to share information with separate applications that can connect with or run on NexJ Connected Wellness (“Applications”) to use, edit and add to your health record. Applications can help you manage your information and find relevant health information.

You can choose to share specific information (or all information) with:

• Other people (such as friends and family)
• Applications (such as Applications that add data to your health records, provide information to your healthcare provider, or use some of your health records to provide information to you about managing your health)

Please read the NexJ Connected Wellness – End User Terms of Use.

1. Collection of your personal information

NexJ Connected Wellness asks you to enter an identifier and password to sign in. The first time you sign in to Connected Wellness you may be asked to provide personal information such as name, date of birth, email, and residential address. Depending on which features you use, you may be asked for additional information for that feature (such as the name of your health care provider or insurance information).

NexJ Health may use the email address you provide to send you an email requesting that you validate your email address, to include in sharing invitations you send through Connected Wellness and to send you NexJ Connected Wellness notifications, such as email notification that information or messages are available to you on NexJ Connected Wellness. As described in their privacy statements, Applications you authorize may also use your email address.

NexJ Connected Wellness allows you to manage one or more health records, such as the ones you create for yourself and your family members. Generally, you choose what information to put in your records. Depending on the Applications that you use on NexJ Connected Wellness you may be asked to consent to the release of a copy of medical records or information from a health care organization or provider. When you consent to the release of a copy of medical records or information to NexJ Connected Wellness, the health care organization or provider remains the custodian of the original records and you are responsible for managing the copy released to NexJ Connected Wellness. Examples of the types of information you can store in your health record on NexJ Connected Wellness include:

• Discharge summaries from hospitalizations
• Transitional care management plans created after your release from hospital
• Health care appointment details
• eConsult information in preparation for medical appointments
• Pictures of meals and food you’ve eaten
• Fitness related activities such as aerobic sessions
• Measurements such as blood glucose, weight and blood pressure
• Lab results
• Medications
• Health history

You can use Applications to enter a wide range of health information into your health record. You can give Applications permission to view, add, modify, and/or delete information in a record. Some Applications store their own copy of the information they access. If an Application has its own privacy statement, NexJ Connected Wellness will provide you a link to such privacy statement at the time you are authorized to access the Application. Please read the Application’s privacy statement for information such as where and how the Application may use, store and transfer your information; what additional information it may collect; how you can review, edit and delete the information it holds and other choices you may have.

You can also store files, and can add or edit some information directly when logged into NexJ Connected Wellness.

By default, you are the custodian of any records you create on NexJ Connected Wellness. You may invite additional people to be custodians. Some of the information you store in the records you manage may be highly sensitive, so you need to consider carefully with whom you choose to share the information.

2. Sharing your Personal Health Information

A key value of NexJ Connected Wellness is the ability to share your health information with people and services who can help you meet your health-related goals. For example, you can share health information from records you control:

• To get your primary physician’s assistance with a transitional care management plan after your release from hospital
• To get family members to help you manage your health
• To use products and services that can improve or monitor your health
• To provide health information to a health coach who can assist you in meeting health and fitness goals

You can share information in a health record you are custodian of with another person by sending a sharing invitation via email through NexJ Connected Wellness. If the person accepts your sharing invitation and has or creates a NexJ Connected Wellness account, you have given him or her access to that information. You can add or remove people from sharing your account.

You can also share personal information and health information with Applications. You decide which Applications you want to use. You may need to agree to additional terms of use, an additional privacy statement and new financial terms before using a new Application. You can revoke an Application’s access to your data at any time. The access you grant to an Application through NexJ Connected Wellness is active until you revoke it.

3. Accuracy of your Personal Information

NexJ Health works hard to ensure that the information within NexJ Connected Wellness is accurate. Nevertheless, participants should be vigilant of the accuracy of their own data. The method for updating information depends on the information source.

Personal health information within NexJ Connected Wellness is entered via one of:

• Entered by the Participant themselves,
• Entered by a person whom the Participant has granted access,
• Entered by their Health Care Provider, or
• Imported from a Health Care Provider system via system integration.

In the case of self-entered information, the Participant can correct the information themselves.

In the case of information entered by the Health Care Provider or a system integrated to NexJ Connected Wellness, the Participant must make the change request through the originating Health Care Provider or their Organization. Contacting the information source is necessary because NexJ Connected Wellness does not modify or provide edit capabilities for information received from other systems.

4. Processing of Personal Information

The legal basis for the collection and processing of any person information or data is to meet NexJ Health’s contractual obligations to you, service providers and employees. NexJ Health uses personal information collected through NexJ Connected Wellness, including health information, to provide NexJ Connected Wellness service, and as described in this privacy notice and the end user terms of use and in the terms of use and privacy statements of NexJ Connected Wellness Applications that you use.

In support of these uses NexJ Health may use and process personal information and data for the following purposes:

• To provide you with the health coaching and patient health management services offered by the NexJ Connected Wellness Platform
• To analyze and optimize information and data in order to improve the NexJ Connected Wellness platform and the services provided
• To provide you with important information about NexJ Connected Wellness and Applications, including critical updates and notifications
• To send you newsletters if you opt-in
• To display relevant advertisements if you opt in
• To assist us with complying with applicable laws

NexJ Health occasionally hires other companies and contractors to provide limited services on our behalf, such as security audits for example. NexJ Health gives those companies and contractors access only to the personal information they need to provide the services. NexJ Health requires these companies and contractors to maintain the confidentiality of the information and prohibit them from using the information for any other purpose. These companies and contractors are also required to follow our policies and procedures related to the treatment of personal information and health information.

NexJ Health may access and/or disclose your personal information if NexJ Health believes such action is necessary to: (a) comply with the law or legal process served on NexJ Health; (b) protect and defend the rights or property of NexJ Health (including the enforcement of our agreements); or (c) act in urgent circumstances to protect the personal safety and welfare of NexJ Connected Wellness users or members of the public.

4.1 Data Subject Rights

At any point while NexJ Health is in possession of or is processing your persona data or information, all Data Subjects have the following rights:

• Transfer personal data from one electronic processing system to and into another electronic processing system;
• Know what data has been collected about you and how such data has been processed;
• Make changes to inaccurate data;
• Withdraw consent to have your data processed and to have your personal data deleted. Note that NexJ Health may be obligated to retain certain personal data on behalf of health professionals in order to comply with applicable laws;
• Be informed, in clear and plain language, of what data is being collected and processed.
• The right to know whether data concerning you is being processed and if so, the right to access it;
• The right to limit the scope of processing of your personal data. Limiting the scope of processing may impact your ability to use the NexJ Connected Wellness Platform;
• The right to object to having your personal data processed. Objecting to having your personal data processed will impact your ability to use the NexJ Connected Platform;
• The right to not be subject to processing done solely on an automated basis (i.e., profiling).

Furthermore, you can request the following information:

• Identity and the contact details of the person or organisation that has determined how and why to process your data.
• Contact details of the Data Protection Officer, where applicable.
• The purpose of the processing as well as the legal basis for processing.
• If the processing is based on the legitimate interests of NexJ Health or a third party such as one of its clients, information about those interests.
• The categories of personal data collected, stored and processed.
• Recipient(s) or categories of recipients to whom the data are/will be disclosed.
• How long the data will be stored.
• Details of your rights to correct, erase, restrict or object to such processing.
• Information about your right to withdraw consent at any time.
• How to lodge a complaint with the Office of the Information Commissioner (Data Protection Regulator) or Personal Data Protection Commission (PDPC).
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
• The source of personal data if it wasn’t collected directly from you.
• Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

To access personal data held, identification will be required

NexJ Health will accept the following forms of identification when information on your personal data is requested. A copy of your driver’s license, passport, birth certificate and utility bill, bank statement, or credit card statement not older than three months old. A minimum of one piece of photographic identification listed above and a supporting document is required. If NexJ Health is dissatisfied with the quality, further information may be sought before personal data can be released.

All requests should be made to dataprotection@nexjhealth.com with subject: Data Access Request.

4.2 Complaints

If you wish to make a complaint about how your personal data is being processed by NexJ or its partners, you have the right to complain. Please refer to Section 12 for Enforcement of this Privacy Statement and Contact Information. If you do not get a response within 30 days, you can complain to your local supervisory authority.

5. Aggregated, De-Identified and Anonymized Personal Information

NexJ Health may process aggregated information from NexJ Connected Wellness and Applications to improve the quality of NexJ Connected Wellness and for marketing NexJ Connected Wellness and Applications (e.g. to inform prospective platform sponsors and subscribers about NexJ Connected Wellness use). Aggregated information is not associated with any individual user and no user can be identified from it. De-Identified and Anonymized information may be shared with public health organizations, government, medical researchers and healthcare providers and companies for research and statistical purposes. NexJ Health contracts with these organizations to prevent them from attempting to identify you based on this information. NexJ Health may also use de-identified and anonymized information for research and statistical purposes and to improve the quality of NexJ Connected Wellness.

6. How NexJ Health Safeguards your Confidential Information

NexJ Connected Wellness is a secure cloud-based platform accessible from a desktop browser or mobile device. All applications access the NexJ Connected Wellness cloud through an Application Programming Interface (API) and pass through a perimeter security gateway to ensure that only authenticated users can access the system. The security gateway also protects against malicious attacks, viruses and malware.

If a NexJ Connected Wellness user (e.g. participant) has a relationship with another NexJ Connected Wellness user, as may be the case between a patient and a healthcare professional, and if those users intend to communicate data from their own clinical systems (for example, another EMR, or EHR, external to NexJ Connected Wellness), then NexJ Connected Wellness may exchange data with those external systems. Such communication is performed over a secure connection.

6.1 Who Can Access Your Personal Health Information?

Only individuals that have been given explicit access by the participant (i.e. patient) can view the participant’s personal health information. This is based on the participant’s defined Circle of Care – anyone the participant chooses to invite to support and participate in their own health and wellness, such as healthcare providers, family, friends, and advocates. Providers can invite participants to join the platform. Providers can only access health information from participants they have invited to the platform, or from those participants that have added that provider to their Circle of Care.

NexJ Connected Wellness has been designed from the ground-up to protect Personal Health Information (PHI) to the utmost degree. Our NexJ Health operational and support processes are designed with protection of PHI in mind as well.

The following safeguards are in place:

• Data is stored in encrypted format in the NexJ Connected Wellness database
• Data is stored in the jurisdiction in which it is collected
• All data transmitted within the system is transferred using secure HTTPS connections
• The NexJ Connected Wellness website is only accessible to providers and participants through HTTPS
• Strong passwords are enforced by the system
• All transactions within the system are logged using ATNA-compliant audit records to allow monitoring or activity, as well as investigation of any possible privacy or security breaches
• All NexJ Health employees are subject to a criminal and background check
• All NexJ Health employees sign Privacy and Confidentiality Agreements
• All staff involved with NexJ Connected Wellness are given specific training in Privacy and Security, including training on the handling of PHI
• Access to the production environment is carefully controlled and only a small number of IT staff have access to the production system
• NexJ Health has defined and detailed procedures to handle security and privacy breaches
• Privacy and Security Overview
• Hosted Environment
• NexJ Connected Wellness systems are hosted in a Tier IV data center that implements the following physical controls:
  • Biometric security enforced through an iris scanner to ensure only authorized people enter the facility
  • Guarded entrances that have security cameras to scan and digitally record the interior and exterior of the facility 24 hours a day
  • Security cameras that incorporate low-light technology to allow clear visibility at night
  • Single secure entrance for customers
  • The data centre is equipped with:
  • Cooling units with redundant compressors and AC units that are computer controlled to maintain temperature and humidity in the facility
  • Fire suppression capabilities that are executed through FM-200 gas that extinguishes fire without water, to ensure no water damage to the equipment
  • A back-up sprinkler system that is installed and operates as a pre-action system, keeping pressurized air in the pipes
  • An Uninterrupted Power Supply (UPS) systems and a high capacity generator

6.2 Cryptography

NexJ Health takes effective measures to ensure that your confidential information stays confidential on the Internet. NexJ Health uses strong encryption to conceal your information from those whom you have not authorized to access it. All web sessions for NexJ Connected Wellness are encrypted. Communications between NexJ Health and its partners’ Internet gateways (for example between NexJ Health and a partnering hospital) use digital certificates to confirm the identities of the communicating servers. Encrypted Virtual Private Networks (VPNs) are often used to provide an additional layer of confidentiality assurance.

6.3 Regulatory Compliance

In the jurisdictions where NexJ Connected Wellness is offered, NexJ Health complies with all applicable legal requirements. This includes HIPAA, PHIPA, GDPR, and PDPA.

6.4 Privacy and Security Awareness

No system can promise to be secure under all circumstances. NexJ Health’s commitment is to take commercially reasonable steps to minimize threats to your data security. NexJ Health takes this commitment seriously.

NexJ Health periodically commissions independent Privacy Impact Assessments (PIAs) and Threat Risk Assessments (TRAs) of NexJ Connected Wellness. The results of these assessments are updated regularly, and help us to plan protections against any new threats to your information that may develop. These Assessments are an assurance to you, and to our data partners, that your data is safe within our systems. NexJ Health has satisfied all of its data partners of the thoroughness of these Assessments. A summary of these Assessments is available on request.

7. Account Access and Controls

You consent to the creation of an account on NexJ Connected Wellness. The required account information consists of a small amount of information such as your name, email address and region. NexJ Health may request additional information, but NexJ Health clearly indicates that such information is optional. You may also consent to the release of information from a third party (such as a health care organization) to NexJ Connected Wellness. You can review and update your account information. You can modify, add or delete any optional account information by signing into NexJ Connected Wellness or by contacting privacy@nexjhealth.com.

You can close your account by contacting privacy@nexjhealth.com. NexJ Health may wait for a short time period before permanently deleting your account in order to help avoid accidental or malicious removal of your information or to comply with any applicable laws.

8. Sharing Records with Applications

NexJ Health provides you with information about Applications that run on NexJ Connected Wellness. You should review information about the Applications including their privacy statements and terms of use prior to using them or allowing them to access your health information. If you have any concerns about an Application please contact privacy@nexjhealth.com.

9. Deleting Records including Health Information

Generally, you can delete records and health information using NexJ Connected Wellness. Alternatively, you can contact privacy@nexjhealth.com to delete records or health information. Deleting records and health information is permanent. NexJ Health may wait for a short time period before permanently deleting your records or health information in order to help avoid accidental or malicious removal of your information.

10. Use of Cookies

NexJ Health uses cookies with NexJ Connected Wellness to enable you to sign in and to help personalize your NexJ Connected Wellness experience. A cookie is a small text file that a web page server places on your hard disk. NexJ Health uses industry standard best practices to ensure our use of cookies does not put your personal information at risk.

10.1 Google Analytics

NexJ Health uses Google Analytics. For information on how Google collects and processes data, please visit http://www.google.com/policies/privacy/partners/.

10.2 Opt-Out of Cookies and Google Analytics

If you do not want your browser to accept cookies, you can modify the cookie option in your browser’s settings. However, some Site features or services may not function properly or be accessible without cookies. For additional information on opting out of Google Analytics tracking cookies, please visit https://tools.google.com/dlpage/gaoptout.

11. Changes to this Privacy Statement

NexJ Health may occasionally update this privacy statement. When NexJ Health does, the “last updated” date at the top of the privacy statement will be revised. For material changes to this privacy statement NexJ Health will notify you of the changes either by email or by notifying you through NexJ Connected Wellness. Your continued use of NexJ Connected Wellness constitutes your agreement to this privacy statement and any updates.

12. Enforcement of this Privacy Statement and Contact Information

If you have any urgent questions related to this Privacy Statement or any urgent privacy or security concerns please contact privacy@nexjhealth.com.

NexJ Health treats all privacy concerns, including complaints or challenges, with the utmost confidentiality.

NexJ Health’s Chief Privacy Officer, Sabina Girard, is responsible and accountable for this privacy statement and privacy related concerns with respect to NexJ Connected Wellness. She can be reached at the following address:

Sabina Girard, Chief Privacy Officer

NexJ Health Inc.
10 York Mills Road, Suite 700
Toronto, ON M2P 2G4
CANADA

Tel: +1-416-227-3700
Fax: +1-416-222-8623
Email: privacy@nexjhealth.com

13. Consent

By agreeing to this privacy notice you are consenting to NexJ Health collecting and processing your personal information and data for the purposes outlined. You further consent to the disclosure of personal data and any other privacy practices set out in this privacy notice. NexJ Health expressly reserves the right to change this privacy notice at any time. Please check here regularly to see the latest version of this notice.

You can withdraw consent at any time by emailing dataprotection@nexjhealth.com with subject: Web Privacy or by writing to the Chief Privacy Officer at the contact details above.

© 2020 NexJ Health Inc.