Elyx - Data Privacy and Security Policy

Introduction

At Elyx Life ("Elyx"), we are committed to safeguarding the privacy and security of our patients' personal and medical information. This document outlines our data privacy and security practices in compliance with the Personal Data Protection Act (PDPA) and other relevant healthcare regulations.

1. Purpose of Data Collection

We collect, use, and store patient data for the following purposes:

  • 1.1. Provision of Medical Services: To include the provision of accurate diagnosis, treatment, and follow-up care.
  • 1.2. Appointments and Communication: To include the scheduling of appointments, sending reminders, and communicating test results.
  • 1.3. Billing and Payment: To include facilitating billing, processing payments, and handling insurance claims.
  • 1.4. Regulatory Compliance: To include complying with legal and regulatory requirements, and associated reporting obligations.
  • 1.5. Quality Improvement: To include conducting internal audits, training, and quality assurance initiatives.
  • 1.6. Analysis. De-identified and aggregated data may also be used to perform analyses and create reports regarding over-arching health trends and diagnostics.

2. Types of Data Collected

We may collect and process the following categories of personal data, including but not limited to the following:

  • 2.1. Personal Identification Information:
    • Full Name
    • NRIC/FIN/Passport Number
    • Date of Birth
    • Contact Information (e.g., phone number, email address, residential address)
  • 2.2. Medical Information:
    • Medical history
    • Diagnostic results
    • Medications and treatment plans
    • Allergies and chronic conditions
    • Wearables data
  • 2.3. Financial Information:
    • Payment details
    • Insurance information
  • 2.4. Other Data:
    • Emergency contact information
    • Feedback and inquiries submitted by patients
    • Scheduling and logistics information
    • Contact details of support persons
    • Any other information required to facilitate lifestyle changes and drive outcomes.

3. How We Protect Your Data

We implement robust technical, administrative, and physical safeguards to ensure the confidentiality, integrity, and availability of patient data. These measures include:

  • 3.1. Technical Safeguards:
    • Encryption of data in transit and at rest.
    • Use of secure servers and firewalls.
    • Access controls, including multi-factor authentication.
  • 3.2. Administrative Safeguards:
    • Annual staff training on data privacy and security.
    • Designation of a Data Protection Officer (DPO).
    • Regular internal audits and reviews of data protection policies.
  • 3.3. Physical Safeguards:
    • Restricted access to areas where sensitive data is stored.
    • Secure disposal of physical documents containing patient information.

4. Data Sharing and Disclosure

We do not sell or share patient data with third parties for marketing purposes. However, we may share data under the following circumstances:

  • 4.1. With Patient Consent: Sharing information with other healthcare providers or institutions at the patient's request. Patients may also consent to the disclosure to specifically identified individuals (e.g., spouses, emergency contacts, etc.).
  • 4.2. For Medical Purposes: Referral to specialists, diagnostic labs, or other medical practitioners.
  • 4.3. Regulatory Compliance: Reporting to government authorities as required by law (e.g., communicable disease notifications).
  • 4.4. Insurance Claims: Sharing relevant data with insurance providers for claims processing.
  • 4.5. Third-Party Service Providers: Engaging vetted service providers (e.g., IT or billing systems) under strict confidentiality agreements.

Please refer to Sections 5.2 and 5.3 of the Terms of Service Agreement for further details.

5. Patients' Rights

Under the PDPA, patients have the following rights regarding their personal data:

  • 5.1. Access and Correction: Patients can request access to or correction of their personal data.
  • 5.2. Withdrawal of Consent: Patients can withdraw their consent for data collection, subject to legal or contractual restrictions.
  • 5.3. Data Portability: Patients can request the transfer of their data to another healthcare provider.
  • 5.4. Complaints: Patients can file complaints regarding data privacy or security breaches with our clinic's Data Protection Officer (DPO).

To exercise any of these rights, or to convey and questions or concerns you may have, please contact our DPO at [contact email or phone number].

6. Retention and Disposal of Data

  • 6.1. Retention Period: We retain patient data for as long as necessary to fulfill the purposes outlined in this policy or as required by law.
  • 6.2. Secure Disposal: Upon reaching the retention period, data will be securely deleted or destroyed to prevent unauthorized access.

7. Breach Notification

In the event of a data breach, Elyx will:

  • 7.1. Notify affected individuals and relevant authorities in compliance with PDPA requirements.
  • 7.2. Take immediate steps to mitigate risks and prevent further breaches.
  • 7.3. Conduct a root cause analysis and update our data protection measures as necessary.

8. Updates to This Policy

We may update this policy from time to time to reflect changes in legal, regulatory, or operational requirements. The latest version will always be available on our website or at our clinic premises.

9. Contact Information

If you have any questions or concerns about this policy, please contact our Data Protection Officer:

  • Name: Nishanth Sudharsanam
  • Email: nishanth@elyx.life
  • Address: 80 RAFFLES PLACE, #58-01, UOB PLAZA, SINGAPORE (048624)