NEXGENRX PRIVACY POLICY

Purpose:

NexgenRx™ Inc. and its subsidiaries, affiliates and related entities (NexgenRx, MyBenetech and Canadian Benefit Administrators) is committed to protecting the privacy of individuals and ensuring the security of their personal health information. NexgenRX is a prescribed entity under Section 45 of the Ontario Personal Health Information Protection Act (PHIPA) (PHIPA S.45) and is authorized to collect personal health information for the purpose of benefit claims adjudication, payment processing and reporting for Clients, Providers and Members or compiling statistical information with respect to the management, evaluation or monitoring of the benefit support services provided by the Benefit Management System (BMS). NexgenRx has implemented policies, procedures and practices to protect the privacy of individuals whose personal health information it receives and to maintain the confidentiality of that information. As a prescribed entity, NexgenRx is subject to independent oversight by the Ontario Information and Privacy Commissioner and must have its information practices reviewed and approved by the Commissioner every 3 years (IPC Approval Process) . This review process provides the Canadian public with the assurance that NexgenRx’s information management practices comply with PHIPA and with privacy and security standard practices expected from the Commissioner. As a result, NexgenRx adheres to the provisions of PHIPA and its regulations applicable to prescribed entities and to any other applicable privacy legislation.

Commitment to Privacy & Security:

NexgenRx is committed to safeguarding its IT ecosystem, to securing its data holdings and to protecting health information with administrative, physical and technical security safeguards, appropriate to the sensitivity of the information. These safeguards protect NexgenRx’s data holdings against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. To this end, NexgenRx has developed a privacy and security framework as outlined in this policy that provides a coherent and comprehensive approach to enterprise privacy and security management. This policy is designed to enable the effective integration and coordination of NexgenRx’s privacy and security policies, and to provide NexgenRx’s decision- makers, information and privacy officer and the entire governance structure with a holistic view of the organization’s information management practices. It is intended to be a living document and is updated as NexgenRx’s Information and Privacy programs evolve over time.

NexgenRx is committed to the principle of openness about the management of personal health information and de- identified data. As such, NexgenRx makes its Privacy Policy publicly available.

Compliance, Audit and Enforcement:

The NexgenRx Code of Conduct describes the ethical and professional behaviour related to work relationships, information

— including personal health information — and the workplace. The code requires all employees to comply with the code and with all of NexgenRx’s policies, protocols and procedures, including this Privacy Policy. Compliance with NexgenRx’s Privacy Program is monitored through NexgenRx’s privacy audit procedures. Violations of the code are referred to Human Resources, as appropriate, and may result in disciplinary action up to and including dismissal.

Notification of breach:

Instances of non-compliance with privacy policies are managed through the office of the Information and Privacy Officer. Non-compliance requires staff to immediately report incidents and breaches to NexgenRx’ Information and Privacy Officer, including non- compliance with this policy or its procedures.

Policy objective:

The purpose of this policy is to protect the privacy of the personal information of the plan members of the Canadian based plan sponsors whose benefits plans we administer and ensure that personal health information and encrypted data resulting from personal health information are collected, used, disclosed, retained and disposed of in a manner consistent with this policy

and in accordance with applicable laws and agreements.

Definitions:

“PIPEDA”: The Personal Information Protection and Electronic Documents Act S.C. 2000, c.5 as amended from time to time.

“PHIPA”: The Ontario Personal Health Information Protection Act as amended from time to time. “FIPPA”: Freedom of Information and Protection of Privacy Act as amended from time to time. “PHI”: Personal Health Information.

“PI”: Personal Information.

“Commercial Activity”: any particular transaction, act, or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of individual, membership, or other personal information.

“Electronic Devices and Media”: USB, computers, photocopiers, scanners, tablets, diskettes, tapes, hard drives, thumb or jump drives, phones, and all other moveable or removable devices and media that may be used for the use, disclosure, or storage of Personal Information (PI) or Personal Health Information (PHI).

“Information Manager”: an individual, corporate organization, business, or association that processes, stores, or destroys PI or PHI, or provides information management or information technology services to or on behalf of NexgenRx.

“Integrity”: the preservation of the content of PI or PHI throughout its storage, use, transfer, and retrieval so that there is confidence that the information has not been tampered with or modified other than as authorized.

“Privacy Breach”: the collection, use, disclosure, or destruction of PI or PHI in contravention of FIPPA, or PIPEDA.

“Responsible Administrator”: Information and Privacy Officer

“Secured Place”: a physical environment for the temporary or permanent storage of, or for the use, processing, or communication of PI or PHI which physical environment has the following characteristics:

  • is readily accessible to only authorized persons,
  • is keyed or otherwise locked to allow entrance or access to authorized persons only
  • is protected by controls to protect against theft, vandalism, or accidental destruction or loss
  • is protected by controls to minimize loss, destruction, or deterioration caused by fire, water, humidity, or other hazards, and
  • has proper containers and adequate labelling to reduce accidental loss or destruction.

“Social Media”: websites and digital applications that enable users to create and share information, ideas, and similar content and create connections.

COMMON REQUIREMENTS IN RESPECT OF PERSONAL INFORMATION AND PERSONAL HEALTH INFORMATION

Collection of Personal or Personal Health Information

NexgenRx only collects from data providers, personal health information and data that is reasonably required for health system uses, including claims processing, audit and reporting.

  1. Only authorized persons may collect PI or PHI.
  2. Collection must be authorized by a statute or alternatively where the information collected relates directly and is necessary for an existing service, program, or activity of NexgenRx.
  3. PI or PHI shall be collected in a manner and location that ensures the security, accuracy, integrity, and confidentiality of the information, to the extent that it is reasonable to do so.
  4. Collection shall be limited to only as much PI or PHI as is reasonably necessary to accomplish the purpose for which it is being collected, and that a reasonable person would consider appropriate in the circumstances.
  5. Whenever possible, PI or PHI shall be collected directly from the individual to whom the information relates, unless a method of indirect collection authorized under FIPPA is necessary.
  6. If collecting PI or PHI directly from the individual to whom the information relates, he or she shall be provided with the purpose and the contact information of a NexgenRx employee who can answer questions about the collection, unless the company has recently provided the individual with this information about the collection of the same or similar PI or PHI for the same or a related purpose.
  7. If collecting PI directly from the individual to whom the information relates, the individual shall also be provided with the legal authority under which the information is collected, unless NexgenRx has recently provided the individual with this same information about the collection of the same or similar PI for the same or a related purpose.
  8. If collecting PI or PHI in the course of commercial activity, the consent of the individual to whom the information relates is required, unless;
    1. collection without consent is permitted under sections 7 to 7.4 of PIPEDA (PIPEDA S.7)
    1. it is impossible or impractical to seek consent, or
    1. the PI or PHI is not sensitive and the individual to whom the information relates would reasonably expect that consent is implied.

Access to Personal or Personal Health Information

  1. Only authorized persons may use and disclose PI or PHI and only as required for the purpose for which it was collected or disclosed unless the individual to whom the information relates has provided consent for other use or disclosure or use or disclosure is otherwise authorized under FIPPA.
  2. PI may be used or disclosed for a consistent purpose in accordance with s.45 of FIPPA. (FIPPA S.45)
  3. The use and disclosure of PI or PHI shall be in a manner and location that ensures the security, accuracy, integrity, and confidentiality of the information, to the extent that it is reasonable to do so.
  4. The use and disclosure of PI or PHI shall be limited to the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed and that a reasonable person would consider appropriate in the circumstances.
  5. The use and disclosure of PI or PHI shall be limited to the fewest persons necessary to carry out the purpose for which the information is used or disclosed.
  6. PI or PHI shall not be disclosed to any person, unless the individual to whom the information relates has provided consent for the disclosure, or disclosure is otherwise authorized under FIPPA.
  7. Before using or disclosing PI or PHI, authorized persons shall take reasonable steps to ensure that the information is accurate, up-to-date, complete, and not misleading.
  8. Disclosure to an information manager may only be made as permitted under FIPPA.
  9. If using or disclosing PI or PHI in the course of commercial activity, the consent of the individual to whom the

information relates is required, unless

  1. use or disclosure without consent is permitted under sections 7 to 7.4 of PIPEDA (PIPEDA S.7)
    1. it is impossible or impractical to seek consent, or
    1. the PI or PHI is not sensitive and the individual to whom the information relates would reasonably expect that consent is implied.

Consent for collection, use, and disclosure of Personal or Personal Health Information.

Where consent is required for the Collection, Use, or Disclosure of PI or PHI, that consent shall, either directly with NexgenRx or indirectly through transferred Plan Sponsor or Groups Consent Agreements

  1. be in writing or otherwise electronically or manually recorded,
  2. relate to the purpose for which the information is used or disclosed
  3. be knowledgeable, so that it is reasonable to expect that an individual to whom NexgenRx’s activities are directed would understand the nature, purpose, and consequences of the collection, use, or disclosure of the PI or PHI to which they are consenting, including the implications of withdrawal of consent where applicable,
  4. be voluntary, and
  5. not be obtained through misrepresentation.

Security of Personal or Personal Health Information

  1. NexgenRx shall implement reasonable administrative, physical, and technical security safeguards that ensure the confidentiality, security, accuracy, and Integrity of the PI or PHI in their custody or under their control and protect against risks such as unauthorized access, use, disclosure, or destruction.
  2. In determining the reasonableness of security safeguards, NexgenRx shall take into account the degree of sensitivity and medium of the PI or PHI to be protected.
  3. Reasonable safeguards shall, at a minimum, include the safeguards outlined in these procedures.

Security of Personal or Personal Health Information – Administrative Safeguards

  1. Only Authorized Persons may have access to PI or PHI.
  2. NexgenRx employees shall regularly attend privacy training offered by the company’s Information and Privacy

Officer or complete other training as may be required by the company.

  • Authorized persons who may collect, use, disclose, store, or destroy PHI shall complete PHIA training and sign the PHIA Pledge of Confidentiality (see Appendix “A” attached).
  • As may be required, specific, department-level policies and procedures regarding the collection, use, disclosure, and protection of PI or PHI according to its sensitivity, shall be implemented, and copies provided to the company’s Information and Privacy Officer.

Security of Personal or Personal Health Information – Personal Safeguards

  1. Physical access to PI or PHI shall be limited to authorized persons only.
  2. Authorized persons shall not discuss others’ PI or PHI in the presence of those who are not authorized to know the information, and therefore shall not discuss others’ PI or PHI in public, unsecured, or open places where those who are not authorized to know the information are likely to be or have access.
  3. Paper files and electronic devices and media containing PI or PHI shall be stored in a secured place at all times other than when being used as a necessary function of work.
  4. PI or PHI shall not be transported or otherwise removed from a secured place unless necessary.
  5. If transporting or otherwise removing PI or PHI from a secured place, only the minimum amount of information necessary may be transported and it must be secured in a briefcase or similar closed, opaque container and under the care and control of an authorized person.
  6. Whenever practicable, PI or PHI shall be de-identified before removing it from a secured place.
  7. PI or PHI should not be left unattended or unsecured in a vehicle.
  • Where file folders, records storage boxes, electronic devices and media, and other storage containers contain PI or PHI, labelling or other means of identification shall only reveal the minimum amount of information that is necessary for identification and use.

Security of Personal Health Information – Technical Safeguards

  1. Access to PI or PHI maintained in electronic form shall be limited to authorized persons.
  2. Software, hardware, or operating system access controls such as strong passwords shall be used to prevent against unauthorized use, disclosure, or destruction of PI or PHI.
  3. Display screens shall be cleared without delay.
  4. Computers shall be logged off or shut down when not in use.
  5. If communicating PI or PHI through the mail or by fax, telephone, email, or social media, authorized persons shall consult the guidelines for the communication of personal and personal health information and take appropriate action.
  6. Password protection/encryption shall be used if transporting PI or PHI on electronic devices and media.
  7. The use and disclosure of PI or PHI shall be audited and tracked within the resources available.
  8. When electronic devices and media are disposed of or used for another purpose, all PI or PHI shall be completely and effectively removed or destroyed by overwriting deleted information, reformatting the electronic storage medium, or physically destroying the electronic storage medium.

Security of Personal or Personal Health Information – Destruction

PI or PHI shall be destroyed (within limits of contractual obligations) in a manner that takes into account the sensitivity of the information and protects the security, accuracy, integrity, and confidentiality of the individual’s information, including at a minimum:

  1. shredding of all paper records, and
  2. effective and complete deletion of the information on all electronic devices and media.

Security of Personal or Personal Health Information – Shared Network Drives

Where a department utilizes a shared network drive to maintain PI or PHI, NexgenRx shall:

  1. ensure that access to PI or PHI is restricted to authorized persons only
  2. maintain a record of the persons authorized to access PI or PHI, and
  3. regularly review the authorizations and update as required.

Privacy Breaches

  1. Any complaint received about a privacy breach, or any knowledge of a privacy breach or a reasonable suspicion of a privacy breach, shall be immediately reported to the NexgenRx’s Information and Privacy Officer.
  2. NexgenRx’s Information and Privacy Officer shall determine whether the alleged privacy breach warrants investigation, taking into consideration:
    1. the length of time that has elapsed since the alleged privacy breach,
    1. if the alleged privacy breach is trivial, or the complaint is otherwise not in good faith or frivolous, and
    1. if the circumstances of the alleged privacy breach warrant investigation.
  3. If a privacy breach warranting investigation is confirmed as a privacy breach under FIPPA, PHIA or PIPEDA, NexgenRx’s Information and Privacy Officer shall:
    1. take steps to contain the privacy breach, and
    1. implement corrective procedures to address the privacy breach and lessen the likelihood of future privacy breaches.
  4. NexgenRx’s Information and Privacy Officer shall generate a record of the privacy breach and the subsequent investigation and shall report the matter, as applicable, to:
    1. Information and Privacy Commissioner of Ontario (IPC), FIPPA, and
  • in the case of serious privacy breaches or privacy breaches in the course of commercial activity, the Privacy Commissioner of Canada, or law enforcement agencies as may be appropriate.

Retention and Disposition of Personal or Personal Health Information

  1. PI or PHI used to make a decision that directly affects the individual to whom the information relates shall be retained for a reasonable period of time in accordance with all applicable legislation, regulation, and NexgenRx’s Privacy policy.
  2. PI or PHI identified for destruction shall be destroyed in a manner that prevents unauthorized access, use, or disclosure, as set out in this policy.

Research Involving Personal or personal health information

  1. No person shall collect, use, or disclose PI or PHI for research except as permitted by NexgenRx.

Requests for Access to Personal Information

  1. Excepting only where there is an existing procedure for access to PI, individuals who wish to examine or receive a copy of their PI must submit a FIPPA request on the prescribed form (Request Form) to NexgenRx’s Information and Privacy Officer.
  2. Individuals who wish to examine or receive a copy of their PHI must submit a request to NexgenRx’s Information

and Privacy Officer.

  • NexgenRx’s Information and Privacy Officer shall make every reasonable effort to assist the individual making a request and to respond openly, accurately, completely and without delay.
  • NexgenRx’s Information and Privacy Officer shall respond within 30 days.
  • If the time limit to respond to a request for access expires on a statutory holiday or a company closure day, the time limit is extended to the next business day.
  • Prior to permitting an individual to examine or receive a copy of his or her PHI, NexgenRx’s Information and Privacy

Officer shall confirm the identity of the requester.

  • On request, NexgenRx’s Information and Privacy Officer shall provide the individual with an explanation of any term, code, or abbreviation used in the PHI.
  • NexgenRx’s Information and Privacy Officer is not required to permit an individual to view or copy his or her PHI.
  • NexgenRx’s Information and Privacy Officer who refuses to permit an individual to view or receive a copy of their PHI shall, to the extent possible, sever, redact or otherwise remove the PHI that cannot be released, permit the individual to view and receive a copy of the remainder of the information, and inform the individual of their right to complain to the Privacy Commissioner of Ontario about the refusal. (IPC Access and Correction)

Requests for Correction of Personal or Personal Health Information

Individuals may submit a request for correction of PI or PHI in writing to the NexgenRx’s Information and Privacy Officer.

Exercising Rights of Another Person

Any right or power conferred on an individual by this Policy may be exercised by another person pursuant to FIPPA (FIPPA S.66) or PHIA (PHIA S.25 to 28).

ADDITIONAL REQUIREMENTS IN RESPECT OF PERSONAL HEALTH INFORMATION

Definitions:

“Demographic or Eligibility Information”: PHI about an identifiable individual as defined in PHIA, including the

individual’s:

  • name
  • signature
  • address
  • email
  • phone number
  • sex
  • date of birth
  • date of death
  • family associations
  • eligibility for Health Care coverage
  • jurisdiction of residence
  • Personal Health Number (PHN)
  • a unique identifier equivalent to the PHN assigned by another jurisdiction that pays for Health Care
  • a unique identifier – not including a Social Insurance Number or, except as provided above, any other pre-existing identifier – assigned to an individual by a trustee for its own purposes.

“Electronic Health Information System”: a computer system or systems delegated to hosting PHI for access by authorized persons.

“Record of User Activity”: a Record about access to PHI maintained on an electronic health information system, which identifies the following:

  • individuals whose PHI has been accessed
  • persons who accessed PHI
  • when PHI was accessed
  • the electronic health information system or component of the system in which PHI was accessed, and
  • whether PHI that has been accessed is subsequently disclosed

Security of Personal Health Information – Electronic Health Information Systems

  1. Where an individual utilizes an electronic health information system to maintain PHI, NexgenRx shall:
    1. create and maintain, or have created and maintained, a record of user activity for at least three (3) years,
  2. A record of user activity may be generated manually or electronically.
  3. A record of user activity is not required:
    1. if the PHI is limited to, or qualifies or further describes, demographic or eligibility information, or
    1. if PHI is accessed or disclosed while an authorized person is generating, distributing, or receiving a statistical report, as long as NexgenRx:
      1. maintains a record of the persons authorized to generate, distribute, and receive such reports, and
      1. regularly reviews the authorizations.

Audit of Personal Health Information Security Safeguards

  1. NexgenRx shall conduct a review of administrative, physical, and technical security safeguards employed to protect PHI in the custody or under the control of the company at least every two years.
  2. If a review identifies deficiencies in NexgenRx’s security safeguards, the company’s Information and Privacy Officer

shall make recommendations to take steps to correct the deficiencies as soon as is practicable to do so.

  • NexgenRx’s Information and Privacy Officer shall document the findings of the review along with any recommendations to monitor and ensure compliance under PHIA.

Notice of Right to Access Personal Health Information

  1. Departments that retain PHI must use a sign, poster (PHI Poster), brochure, or other similar type of notice to inform individuals of their rights to examine and receive a copy of their PHI and to authorize another person to examine and receive a copy of the PHI subject to the right of the company to refuse as set out under PHIA (PHIA S.54(1)(c)).
  2. The sign, poster, brochure, or similar type of notice must be prominently displayed in as many locations and in such numbers as the company reasonably considers adequate to ensure that the information is likely to come to the individuals’ attention.

These Procedures shall be reviewed in conjunction with the Privacy policy review at least once every five (5) years, or more frequently as required to reflect changes in legislation or to related company policies, procedures, and processes.

QUESTIONS ABOUT THIS PRIVACY POLICY AT NEXGENRX

Questions, concerns or complaints about NexgenRx’s handling of the personal health information or encrypted data it

holds should be addressed to NexgenRx’s Information and Privacy Officer at the following coordinates:

Andrew Munroe, SVP Pharma and Payor Partners, Information and Privacy Officer

191 The West Mall Suite 905 Etobicoke, ON M9C 5K8

Phone: (416) 695-3393

Email: AMunroe@NexgenRx.com

The Information and Privacy Officer may direct an inquiry or complaint to the Privacy Commissioner of the jurisdiction of the person making the inquiry or complaint. For other information on NexgenRx’s privacy policies, procedures and practices, and its partners, visit https://www.NexgenRx.com/.