Privacy Policy | Security Policy

Exan Group General Privacy Policy

Introduction

Exan Group of Companies (“Exan”) is committed to safeguarding the personal information entrusted to us by our customers. From the smallest rural dental practice to the largest dental academic institution that we serve, we provide our customers with the ability to manage information efficiently. Information is our business and, as such, the security and protection of personal information is at the core of everything we do. We understand that personal health information must be handled with the utmost care. In fact, the success of our business depends on it.

We manage all personal information in compliance with the applicable laws that govern our ability to access, collect, use, disclose, retain and dispose of personal information throughout Canada.

Exan’s policies and procedures meet or exceed the obligations set out in the Canada Personal Information Protection and Electronic Documents Act; British Columbia Personal Information Protection Act; Alberta Health Information Act; Saskatchewan Health Information Protection Act; Manitoba Personal Health Information Act; Ontario Personal Health Information Protection Act; New Brunswick Personal Health Information Privacy and Access Act; Nova Scotia Freedom of Information and Protection of Privacy Act; Prince Edward Island Freedom of Information and Protection of Privacy Act; and Newfoundland and Labrador Personal Health Information Act (together, the “Applicable Privacy Laws”).

Relevant to our customers located in the United States of America, Exan is fully compliant with the Health Insurance Portability and Accountability Act of 1996 and its associated regulations.

What is personal information?

For the purposes of this Policy:

“Personal information” means any information about an identifiable individual and includes things such as name, age, gender, home address and telephone number, personal e-mail address, Social Insurance Number, date of birth, marital status, education, personal health information, financial and banking information, as well as certain personal opinions or views of an individual.

“Personal Health Information” is a specific type of Personal Information that, with respect to an individual, whether living or deceased, means:

(a) information concerning the physical or mental health of the individual;

(b) information concerning any health service provided to the individual;

(c) information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;

(d) information that is collected in the course of providing health services to the individual;

(e) information that is collected incidentally to the provision of health services to the individual.

Collection and Use of Personal Information

There are two different circumstances under which Exan collects and/or uses Personal Information. We describe these under the separate headings of “Customer Information” and “Custodian’s Records” below:

Customer Information

Exan collects the information needed to provide requested software applications and support services to our customers and to communicate newsletters, updates and promotional materials to current and prospective customers.

The type of information that we typically collect from our customers includes your mailing address, e-mail address, phone number(s), computer system information and reasonably necessary Personal Information such as your identification, credit card and/or banking information.

In addition, Exan may also collect information about prospective customers from external sources such as public or commercial directories and listings.

Exan does not sell, trade, barter or exchange its customer list or any Personal Information that it has obtained from its customers or prospective customers.

Custodian’s Records

In providing software applications and related support services to dentists and dental academic institutions, Exan may access Personal Health Information that our customers have collected from their patients. Applicable Privacy Laws recognize this reality and contain special rules that govern the relationship between a dentist and IT service provider such as Exan in these circumstances.

Although the Applicable Privacy Laws describe the concept using various terms such as custodian, public body, trustee, health care custodian, organization or covered entity (collectively, the “Custodian”), these terms all reflect the common requirement that the dentist or dental academic institution that initially collects Personal Health Information from an individual is rendered the Custodian of that information and remains ultimately responsible for its security and protection at all times.

Exan accesses Personal Health Information for the sole purpose of providing information technology products and services to its customer, the Custodian of that information. Although privacy laws describe Exan’s role in this regard using various terms such as information manager, service provider, information management service provider, processor, affiliate, agent or business agent (collectively, the “IT Service Provider”), these terms all reflect the common understanding that as an IT Service Provider, Exan makes no use of Personal Health Information other than to provide products and services to its customer, the Custodian.

Limits on Collection, Use and Disclosure

Customer Information

Exan only collects, uses and/or discloses Personal Information that is reasonably necessary to fulfill the purposes identified in this Policy.

Exan asks for consent before it collects, uses or discloses current or prospective customers’ Personal Information except in specific circumstances when collection, use or disclosure without consent is authorized or required by law – for example, in response to a court order, subpoena or search warrant.

Consent may be express or implied. Exan prefers to obtain express consent from its current and prospective customers and will typically ask you to provide your consent orally (in person or by phone), in writing or electronically. Consent may also be implied though action (i.e. you contact us with respect to purchasing our products or services) or inaction (i.e. you do not respond to an offer to have your email address removed from our newsletter list).

If Exan wishes to use or disclose Personal Information it has previously collected about you for a new business purpose, we will ask for your consent before doing so.

A customer may withdraw consent to Exan’s use and disclosure of his/her Personal Information at any time by providing us with reasonable notice, unless the withdrawal of consent would break a legal duty or contract between us.

Providing Personal Information to Exan means that you agree that we may collect, use and disclose your Personal Information in accordance with this Policy. If you do not agree with our Policy, please do not provide your Personal Information to Exan. Unfortunately, if you choose not to provide necessary Personal Information to us or withdraw consent, we may not be able to supply you with our software or services.

Custodian’s Records

Exan only accesses or uses Personal Health Information in our capacity as an IT Service Provider to the dentist or dental academic institution that is the Custodian of that information. The obligation for obtaining each individual patient’s consent to the collection, use and disclosure of such information rests solely with each Custodian.

Exan only uses Personal Health Information for the purposes of providing the Custodian with services related to our software such as practice management consultation, troubleshooting and technical support. Any work we do that may involve access to information contained in a Custodian’s records is done at the Custodian’s premises or in-house here at Exan’s offices. Exan does not mine or manipulate the information contained within a Custodian’s records for any purpose.

Applicable Privacy Laws draw a distinction between a Custodian, who is required to maintain “custody and control” of any Personal Health Information that it collects, and an IT Service Provider, who may have “possession” of Personal Health Information in the course of providing specific services to a Custodian. As a result, even though the physical location of information contained within a Custodian’s records may change while it is in Exan’s “possession”, the information is always considered to be under the “custody and control” of the Custodian who remains ultimately responsible for the security and protection of that information at all times.

Exan is pleased to help facilitate our customers’ compliance with Applicable Privacy Laws that govern the transfer of Personal Health Information from a Custodian to an IT Service Provider via use of our standard Written Service Agreement which incorporates both legally required and leading edge best practices for the security and protection of Personal Information.

Security

Exan is committed to safeguarding the confidentiality of Personal Information, including Personal Health Information, that is entrusted to us by our customers and we protect the privacy of individuals who are the subject of the information that we collect or access in the course of our business.

Exan uses administrative, technological and physical safeguards to protect Personal Information against theft, loss and unauthorized access, collection, use, disclosure, copying, modification, retention, disposal, destruction or any similar risks. Some of the specific methods that we use to secure Personal Information include restricting physical access to designated areas containing Personal Information to authorized personnel only, controlling access to information through the use of a strict “need-to-know” policy, locking away physical files as well as the use of a series of security locks that include user ID’s, complex passwords, encryption and firewalls.

As a condition of employment, all personnel in our organization are required to sign a witnessed Oath of Confidentiality and Privacy regarding Personal Information that they access as a result of their employment with Exan. In addition, staff members receive regular ongoing training on Exan’s policies and procedures concerning the security and protection of Personal Information.

In the course of our business, Exan may engage the services of a contractor, agent or similar third party under contract from time to time (an “Agent”) in which case Exan requires the Agent’s written agreement to provide the same level of security and protection of Personal Information that Exan provides under the terms of our Written Service Agreement.

Exan regularly audits its security safeguards and compliance with Applicable Privacy Laws and any deficiencies discovered are immediately addressed and corrected.

Custodian’s Records

Exan’s customers are the Custodians of Personal Health Information collected in the course of their dental practices. As such, Exan is aware of the legal obligations that our customers are subject to when they permit Exan to access Personal Health Information in the course of performing IT services. Specifically, Exan understands that each Custodian with whom it does business must ensure that appropriate safeguards are in place to keep Personal Health Information protected.

Our Written Service Agreement describes how Personal Health Information provided to Exan will be protected, managed, returned or ultimately destroyed in accordance with applicable privacy legislation. In addition, our written security policy contains provisions for the recording of security breaches.

Exan creates and maintains a record of user activity on the systems through which our personnel access Personal Health Information that is in the custody and control of our customers. Exan retains this record of user activity for three (3) years and makes its records concerning our personnel’s access to a particular Custodian’s records available to that customer upon request.

We also invite our customers to monitor our compliance with required security procedures by inspecting and auditing Exan’s handling of Personal Health Information for which a Custodian is responsible at any time.

Retention & Destruction

Customer Information

Exan retains Personal Information for only as long as is reasonably required to fulfill the identified purposes for which the information was obtained or as required by law.

Exan will retain Personal Information which it has used to make a decision that directly affects an individual for at least one (1) year and, in the event of an access request or challenge, Exan will retain the Personal Information long enough to permit the individual at issue to exhaust any recourse that he/she may have under the law.

Where Personal Information is no longer required to fulfill the identified purposes, Exan will destroy the information. We destroy physical documents by way of shredding and electronic files are erased in their entirety in a manner such that no Personal Information can be recovered. When computer hardware is discarded, Exan physically destroys or securely wipes the hard drive upon which Personal Information was stored using appropriate security software.

Custodian’s Records

Exan only accesses and uses a Custodian’s records under the terms of our Written Service Agreement and for the specific purpose of providing the Custodian with software products and related services such as practice management consultation, troubleshooting and technical support.

Exan does not use the Personal Health Information that it accesses in its capacity as an IT Service Provider for any purpose other than providing the Custodian with requested products or services. In particular, Exan does not use Personal Health Information to make any decisions about the individual patient to whom the information relates. As a result, Exan does not retain Personal Health Information that it accesses in the course of its business. Rather, once the specific purpose for which Exan was required to use Personal Health Information is fulfilled, Exan immediately destroys any copy of the information that it may have made.

Exan does retain a record of user activity on the systems through which our personnel access Personal Health Information in the custody control of each of our customers. This record of user activity is retained for a period of three (3) years and is available to each customer upon request.

Privacy Breach Notification

Customer Information

A “Privacy Breach” occurs when there is unauthorized access, collection, use, disclosure or disposal of Personal Information such as when a customer’s Personal Information is stolen, lost or mistakenly disclosed contrary to applicable privacy laws.

In the very unlikely event of a Privacy Breach at Exan with respect to the Personal Information that we collect from our customers, Exan will notify every individual to whom there exists a real risk of significant harm as a result of the breach.

In evaluating whether a real risk of significant harm exists, we will consider the issue from a reasonable person’s perspective and take into account a wide range of potential harms, including the risk of identity theft and any adverse impact on the mental, physical, economic or social well-being of the individual at issue.

Custodian’s Records

Exan will notify a Custodian at the first reasonable opportunity if Personal Health Information that is ultimately under the Custodian’s custody and control is stolen, lost, accessed, disclosed or disposed of contrary to our Written Service Agreement and Applicable Privacy Laws.

In the very unlikely event of a Privacy Breach at Exan involving Personal Health Information, our notice to each relevant Custodian will include: (a) a description of the nature of the Privacy Breach; (b) the date and location of the Privacy Breach; and, (c) the date that Exan discovered the Privacy Breach.

Under Applicable Privacy Laws, each Custodian is then responsible for notifying the individual(s) involved of the Privacy Breach and for notifying the relevant Privacy Commissioner (in jurisdictions where this is required).

Accuracy and Access

Correction of Customer Information

Exan makes every reasonable effort to ensure that Personal Information is accurate, complete and up-to-date when it is used to make a decision about a current or prospective customer or is disclosed to another organization. We rely on our customers to notify us if there is a change to their Personal Information that may affect their relationship with Exan.

If you are aware of an error in our information about you, you have the right to make a request for correction. You may request a correction by writing to Exan’s Privacy Officer (contact information is located at the end of this Policy). Your written request must include enough detail for us be able to identify the Personal Information and the correction that you seek.

If we agree that the Personal Information is inaccurate or incomplete, we will correct the information and send the corrected information to any organization to whom we may have disclosed incorrect information about you.

Access Requests – Customer Information

Exan’s customers have a right to access the Personal Information that Exan holds about them, subject to certain exceptions discussed further below. You may make a request for access to your Personal Information by writing to Exan’s Privacy Officer (contact information is located at the end of this Policy). Your written request must include enough detail to allow us to identify the information you are seeking. You may also request information about how Exan uses and to whom it discloses your Personal Information.

Exan will make every reasonable effort to respond to a request for access to Personal Information as accurately and completely as possible. We will respond to your request within 30 business days or provide you with a written notice of extension if we need additional time to fulfill your request. If we require an extension, we will tell you the reason and when you can expect our response. We may charge a minimal fee to provide Personal Information and will provide you with a written estimate of the fee before beginning to process your request.

In some circumstances, Exan may be legally authorized or required not to disclose information to you. For example, we may refuse access to Personal Information if disclosure would reveal Personal Information about a third party, information subject to solicitor-client privilege or confidential business information, among others.

If we refuse a request for access to information in whole or in part, we will notify you in writing and provide the reasons for the refusal. We will also provide you with information on how to contact the relevant Privacy Commissioner’s Office to request a review of our decision. In some cases where exceptions to access apply, we may sever that information and provide you with the remainder of the record.

Custodian’s Records

If Exan receives a correction or access request from an individual whose information was provided to us or accessed by us in our capacity as an IT Service Provider, we will transfer the request to the Custodian who originally collected the information from that individual. Exan will inform the individual that the request has been transferred to the Custodian who has custody and control of the information.

Accountability and Contact Information

Exan is pleased to make copies of this Privacy Policy available to the general public via fax, e-mail, regular mail or on our website at www.Exangroup.com. Please note that requests for mailed copies must include a self-addressed, stamped envelope.

If you have a question or concern about any collection, use or disclosure of Personal Information by Exan, our compliance with this Privacy Policy or Applicable Privacy Laws or wish to submit a request for access or correction to your own Personal Information, please contact:

Privacy Officer
Exan Group
1963 Lougheed Highway
Coquitlam, British Columbia
V3K 3T8
Canada

Exan will make every reasonable effort to investigate and respond to all written challenges to our compliance with this Policy or Applicable Privacy Laws in a timely fashion. If we find that a challenge is well-founded, Exan will take appropriate measures, including changing our policies or procedures as required, to ensure that other individuals will not experience the same problem.

If you are not satisfied with our response to your access or correction request or any other concern regarding our compliance with Applicable Privacy Laws, you may contact the following offices:

Office of the Information and Privacy
Commissioner for British Columbia

P.O. Box 9038 Stn. Prov. Govt.
Victoria, British Columbia
V8W 9A4
Phone: 1-250-387-5629
Web site: www.oipc.bc.ca

The Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3
Phone: 1-800-282-1376
Web site: www.privcom.gc.ca

Back to top

Privacy Policy | Security Policy

Exan Group General Security Policy

Under the terms of our Written Service Agreement and Applicable Privacy Laws, Exan Group of Companies (“Exan”) is required to implement administrative, technological and physical safeguards to protect Personal Health Information (“PHI”) against theft, loss and unauthorized access, collection, use, disclosure, copying, modification, retention, disposal, destruction or similar risks. It is the policy of Exan to fully comply with these stated requirements and accordingly, Exan adopts this Security Policy effective July 1, 2012.

Any terms not defined in this Security Policy have the same meaning as provided in Exan’s Privacy Policy and Personal Information Internal Procedures Manual.

Overview and Scope

This Security Policy applies with respect to PHI accessed or used by Exan in the course of providing requested IT products or services to our customers under the terms of our Written Service Agreement. For purposes of this Security Policy, “electronic format” includes: e-mail, intranet or extranet, disks, hard drives, external drives or storage, magnetic tape and electronic claims reports. Exan’s Privacy Officer is charged with administering this Security Policy.

 

Procedures

To the extent PHI in electronic format is accessed or used by Exan:

  1. Exan designs, develops, manages, and ensures the security of the Exan’s technology infrastructure. Exan’s Privacy Officer designates a Security Officer who provides technical, policy and project leadership for all institutional electronic resources.
  2. Exan protects all electronic resources to ensure confidentiality, availability and integrity. PHI in electronic format constitutes a subset of those resources that are protected. PHI in electronic format is protected by administrative, physical, and technical safeguards that reflect best practices.
  3. PHI in electronic format that is transmitted from Exan’s network must be encrypted.
  4. Access to PHI in electronic format is generally limited to employees who provide software support to the Custodian. The Privacy Officer is responsible for determining and granting appropriate access and ensuring that access is terminated when it is no longer necessary for employees to perform their job duties. The Privacy Officer and Security Officer will periodically review the accounts on systems that manage PHI to ensure that only currently authorized individuals have access to the systems.
  5. Training on “Security Awareness” will be offered to employees who have access to PHI as soon as possible following their start date in a position which warrants access to PHI. In addition to training, the Security Officer will issue updates and reminders as needed to disseminate new information or warnings about new threats to systems security.
  6. The Security Officer conducts the comprehensive risk assessment that is required by Applicable Privacy Laws. Findings and recommendations are reported to the Exan’s Privacy Officer. The risk assessment is updated annually.
  7. The Privacy Officer and Security Officer will ensure that Exan’s security policies and procedures meet the requirements for administrative, technological and physical safeguards under Applicable Privacy Laws. The Privacy Officer and Security Officer will maintain and update an inventory of safeguards that address these requirements.The Privacy Officer and Security Officer will implement such security standards as are required, and will evaluate each of the specific security standards that are deemed “addressable.” In the event the Privacy Officer and/or Security Officer determine that an addressable security standard is reasonable and appropriate, it will either (i) adopt the appropriate implementation specification, or (ii) adopt one or more alternative security measure that will accomplish the same purpose. In the event the Privacy Officer and/or Security Officer determine that the addressable standard is not reasonable and appropriate, it will adopt neither the implementation specification nor the alternative measures.

    In evaluating each security standard, the Privacy Officer and Security Officer may use the following factors: financial resources; budget; technical infrastructure; security capabilities of hardware and software; cost of measures; and risk to ePHI. The Privacy Officer and Security Officer will document the evaluation of the security standards.

  8. The Privacy Officer ensures that the Written Service Agreement reflects the level of security required under Applicable Privacy Laws.
  9. The Security Officer monitors ongoing and emerging issues related to the Applicable Privacy Laws and consults with the Privacy Officer to implement changes as needed.
  10. All Exan employees are required to immediately report suspected or known violations of this Security Policy to the Security Officer and the Privacy Officer. Exan is required to enforce sanctions and mitigate any resultant damages to the extent possible.
  11. Sanctions against Exan employees who violate this Security Policy will be enforced in accordance with Exan’s existing policies on disciplinary action, up to and including termination of employment.
  12. The Privacy Officer ensures that there are procedures in place for recording security breaches and that corrective measures are introduced to address any such breaches as soon as possible after they are discovered.

Back to top

Privacy Policy | Security Policy

EXAN ENTERPRISES INC. SECURITY POLICY

(Revised February 2012)

 

Overview and Scope

This Security Policy applies with respect to ePHI received, maintained, used or disclosed by the Covered Entities that enter into software service agreements with the Business Associate.  For purposes of this Security Policy, “ePHI” is information, created or received by a Plan in electronic format, that relates to the past, present, or future physical or mental health or condition of an individual; to the provision of health care to an individual; or to the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify the individual¹.

 

¹ For purposes of this Security Policy, “electronic format” includes: e-mail, intranet or extranet, disks, hard drives, external drives or storage, magnetic tape and electronic claims reports.  The Security Officer for Business Associate is charged with administering this Security Policy.

 

Procedures

To the extent ePHI is maintained:

 

  1. Business Associate designs, develops, manages, and ensures the security of the Business Associate’s technology infrastructure.  The Business Associate designates a Security Officer who provides technical, policy and project leadership for all institutional electronic resources.
  2. The Business Associate protects all electronic resources to ensure confidentiality, availability and integrity.  Electronic protected health information constitutes a subset of those resources that are protected.  Electronic PHI is protected by administrative, physical, and technical safeguards that reflect best practices.
  3. Electronic PHI that is transmitted outside of the Business Associate’s network must be encrypted.
  4. Access to ePHI is generally limited to employees who provide software support to the Covered Entity. The Privacy Officer is responsible for determining and granting appropriate access and ensuring that access is terminated when it is no longer necessary for employees to perform their job duties.  The Privacy Officer and Security Officer will periodically review the accounts on systems that manage ePHI to ensure that only currently authorized individuals have access to the systems.
  5. Training on “Security Awareness” will be offered to employees who have access to ePHI as soon as possible following their start date in a position which warrants access to ePHI.  In addition to training, the Security Officer will issue updates and reminders as needed to disseminate new information or warnings about new threats to systems security.
  6. The Security Officer conducts the comprehensive risk assessment that is required by the Security Rule.  Findings and recommendations are reported to the Privacy Officer.  The risk assessment is updated every two years.
  7. The Privacy Officer and Security Officer will maintain and update an inventory of safeguards that address Security Rule requirements. The Privacy Officer and Security Officer will implement such security standards as are required, and will evaluate each of the specific security standards that are deemed “addressable.” In the event the Privacy Officer and/or Security Officer determine that an addressable security standard is reasonable and appropriate, it will either (i) adopt the appropriate implementation specification, or (ii) adopt one or more alternative security measure that will accomplish the same purpose. In the event the Privacy Officer and/or Security Officer determine that the addressable standard is not reasonable and appropriate, it will adopt neither the implementation specification nor the alternative measures.

    In evaluating each security standard, the Privacy Officer and Security Officer may use the following factors: financial resources; budget; technical infrastructure; security capabilities of hardware and software; cost of measures; and risk to ePHI.  The Privacy Officer and Security Officer will document the evaluation of the security standards.

  8. The Privacy Officer ensures that Business Associate Contracts reflect requirements of the Security Rule.
  9. The Security Officer monitors ongoing and emerging issues related to the Security Rule and consults with the Privacy Officer to implement changes as needed.
  10. All Business Associate employees are required to immediately report suspected or known violations of the Security Rule.  Reports should be made to the Security Office.  Employer and the Plans are required to enforce sanctions and mitigate damages to the extent possible.
  11. Sanctions against workforce members who violate the Security Rule will be enforced in accordance with existing Employer policies on disciplinary action, including termination of employment.

Back to top

Privacy Policy | Security Policy

Premier dental software
for large dental organizations