Aeon Health | Terms of Service

Health Privacy Addendum

This Health Privacy Addendum (“Addendum”) is incorporated by reference in the Terms of Service entered into between Aeon Health (“Aeon”) and Customer and sets out how Health Information may be Processed in connection with Aeon’s provision of the Service. The guiding principles of this Addendum are those set out in Health Privacy Laws.

Definitions. Capitalized terms used but not defined herein will have the same meaning set forth in the Terms of Service. For the purposes of this Addendum:
1. “Health Information” means any information which is “health information” or “personal health information” or such similar term as defined in Health Privacy Laws and which is Processed by Aeon in connection with the Service.
2. “Personnel” means individual employees, agents, or contractors.
3. “Health Privacy Laws” means all Privacy Laws governing the Processing of Health Information in the jurisdictions where Customer has subscribed to use the Service.
4. “Processing” means the collection, use, or disclosure, including, for greater certainty, any access, retention, modification, copying, storage, safeguarding, de-identification, anonymization, or destruction of Health Information. “Processed” and “Process” have a corresponding meaning.
5. “Privacy Breach” means any theft or loss of or unauthorized Processing of Health Information or other breach of the protection of Health Information.
Processing of Health Information
1. Each party shall Process Health Information in compliance with Health Privacy Laws and this Addendum. Aeon shall Process Health Information only as required to (i) fulfill its obligations under the Terms of Service; (ii) carry out Customer’s documented instructions; or (iii) comply with Health Privacy Laws. Aeon shall only use as much Health Information as is reasonably necessary to fulfill its obligations under the Terms of Service.
2. In accordance with the Terms of Service, Aeon may generate Anonymized Data from the Health Information. Aeon represents and warrants that (i) is has implemented adequate technical and organizational measures to ensure that the method it uses to generate the Anonymized Data is appropriate, given the risks of re-identification, and (ii) Anonymized Data does not contain Health Information.
Personnel and Subcontractors
1. Aeon shall only grant access to those of its Personnel who have a need to access Health Information for the purposes of providing the Service. Aeon shall ensure that those of its Personnel who have access to Health Information are subject to binding obligations substantially similar to those imposed upon Aeon in this Addendum.
2. Aeon shall not allow any Subcontractor to Process Health Information except as necessary to provide the Service and in accordance with the Terms of Service. Aeon shall ensure its arrangement with any Subcontractor who Processes Health Information is governed by written agreement which offers substantially the same level of protection for Health Information as required by this Addendum. Upon Customer’s written request, Aeon shall provide Customer with a current list of Subcontractors that Process Health Information on behalf of Aeon, including a description of the services provided and applicable processing jurisdictions.
Individual Requests, Inquiries
1. If Aeon receives a request from an individual to exercise their rights under Health Privacy Laws, including any applicable right of access or correction, or right to place conditions on consent, Aeon shall promptly advise the requestor that it does not control Health Information and shall direct the requestor to Customer. Aeon shall reasonably cooperate with and assist Customer in the management of any such individual request.
2. If Aeon receives notice of a complaint or inquiry involving Health Information, Aeon shall promptly notify Customer. Aeon shall reasonably cooperate with and assist Customer in connection with responding to any complaints or inquiries involving Health Information or investigations connected therewith.
Security Safeguards
1. Aeon shall maintain reasonable administrative, technical and physical safeguards designed to protect Health Information against Privacy Breaches and unauthorized Processing, consistent with industry standards and the nature and sensitivity of the Health Information Processed through the Service. Such safeguards may include, as appropriate:
  1. encryption of Health Information in transit and at rest;
  2. role-based access controls and authentication measures;
  3. confidentiality obligations applicable to Personnel;
  4. logging and monitoring of access to systems containing Health Information; and
  5. policies and procedures relating to the secure retention and disposal of Health Information.

Aeon shall take reasonable steps to segregate Health Information from other information owned by Aeon or third parties, which may include logical segregation. Aeon shall only Process Health Information within Canada and the United States.

Aeon has established and implemented information policies and procedures relating to the collection, use, disclosure, retention and disposal of Health Information. Aeon shall monitor and enforce compliance with its own information policies and procedures.
In the event that Aeon becomes aware of a Privacy Breach involving Health Information, Aeon shall notify Customer without undue delay and, where feasible, no later than 72 hours after becoming aware of the Privacy Breach. Aeon shall reasonably cooperate with Customer to enable Customer to comply with its obligations under Health Privacy Laws. Aeon shall not disclose to any third party the circumstances of the Privacy Breach without the prior written consent of Customer, except as required by law.
During the Term and for a period of one year thereafter, Aeon shall obtain or maintain industry standard third-party certifications and audits as reasonably determined by Aeon, such as SOC 2 and ISO 27001. Upon Customer’s written request, Aeon shall make available to Customer or its independent third-party auditor information regarding Aeon’s compliance with the obligations set forth in this Addendum in the form of the third-party certifications and audits, or summaries thereof. At Customer’s written request, Aeon shall provide reasonable explanations of relevant matters which are not covered in such certifications or audits, or of non-conformities identified in such audits.

Retention and Return of Health Information
1. Aeon shall not retain or dispose of any Health Information unless authorized by Customer or required by Health Privacy Laws.
2. In the event of the termination of the Terms of Service, or at any other time on the written request of Customer, Aeon shall securely delete, anonymize, return, or destroy all Health Information and shall ensure that such Health Information in its possession or control, in accordance with applicable Health Privacy Laws and Aeon’s data retention and destruction procedures.

Such deletion or destruction may include:
(i) deletion of customer accounts and associated records from active production systems;
(ii) anonymization of patient records where appropriate and consistent with applicable Health Privacy Laws;
(iii) secure deletion of files stored in cloud storage systems; and
(iv) deletion of Health Information from backup systems in accordance with standard backup retention and overwrite practices.

Any Health Information temporarily retained within encrypted backup systems shall remain subject to the safeguards set out in this Addendum until deleted in the ordinary course.

General
1. This Addendum is deemed part of and integrated in the Terms of Service, provided that this Addendum prevails over the other parts of the Terms of Service in case of conflict or inconsistency.
2. All provisions of this Addendum which, by their nature, ought to survive any termination or expiry of the Terms of Service shall survive any such termination for as long as Aeon has custody or control of any Health Information or as otherwise stated in this Addendum.