Context and Scope
MedQIA provides radiology decision support and clinical trial services to healthcare providers, pharmaceutical/ biotechnology companies, and other healthcare-related entities. In this role, MedQIA receives and processes data containing private information, including Personally Identifiable Information (PII) and Protected Health Information (PHI).
MedQIA does not itself collect PII or PHI, but rather MedQIA acts upon data received from its customers‒namely sponsors, clients, and vendors‒to perform data processing activities, as documented by contract and following established procedures.
This notice outlines MedQIA’s approach to maintaining the integrity, privacy and security of the PII and PHI under the requirements of:
- United States Health Information Portability Accountability Act (US HIPAA) under which
MedQIA operates as a “business associate”
- European Union’s General Data Protection Regulation (EU GDPR) under which MedQIA
operates as a “data processor”
This notice also addresses the “Rights of the Individual” under US HIPAA and EU GDPR.
Private Information Use and Further Disclosure
MedQIA’s uses PII and PHI on behalf of its customers, who are responsible for obtaining consent
from the individual who is the subject of the private information. Customer’s contracts with their
respective parties govern MedQIA’s use of the provided PII and PHI, restricting use to the specific
MedQIA internal policies, procedures and semi-automated processes restrict access to the PII and
PHI to only those company personnel who require access to complete the contracted tasks.
MedQIA personnel who are authorized to process the PII and PHI as part of performing their job
are committed to maintaining the privacy of the information.
MedQIA does not distribute or disclose the PII or PHI unless required in response to a lawful
request by public authorities, including to meet national security or law enforcement
requirements. MedQIA does not sell, rent, share, or use the (identified or de-identified) PHI or PII
for profiling, criminal offense/ conviction processing, or in any manner that infringes an
individual’s right to privacy.
MedQIA maintains records of data processing activities. The PII and PHI is securely stored in the
MedQIA’s system as authorized per customer contract with MedQIA.
How Private Information at MedQIA is Protected
To address the variety of regulatory regimes, MedQIA focuses on industry best practices for
achieving data integrity, ensuring authenticity, protecting privacy, and building cybersecurity.
MedQIA has established mechanisms for user authentication and authorization, workstation management, anti-malware defenses, intrusion detection and prevention on networks and
servers, physical security, and operational monitoring to protect the PII and PHI.
Organizational policies and procedures reaffirm MedQIA personnel responsibility for the security
and privacy of the PII and PHI. Additionally, change management processes govern the
development of new software capabilities, as well as the revision of existing software features to
avoid vulnerabilities or exposure of the PII and PHI.
MedQIA does not engage with third-party data controllers or data processors without
authorization from the customer. MedQIA has established procedures for qualification and
oversight of any third-party to which MedQIA entrusts access to the PII or PHI.
In the event of a breach or non-compliance incident, customers are notified promptly as
mandated by contractual obligations and regulatory requirements. MedQIA’s customers retain
the responsibility of notifying the affected individuals and reporting to appropriate regulatory or
Rights of the Individual
Any individual who is the subject of the private information has the right to request access, require
deletion, restrict use, and request amendment or correction of their information. These individuals
have also the right to request receipt of communication notices and disclosures related to their
private information. Given that MedQIA receives the PII and PHI on behalf of its customers in
performing its contractual obligations, the requesting individual must work through MedQIA’s
customer to exercise these rights. MedQIA promptly complies with all such requests, without
undue delay, from its customers made on behalf of the individual in question.
Any individual has the right to submit a complaint, without retaliation, if they believe their privacy
rights have been violated by sending an e-mail to email@example.com
Availability of the MedQIA Privacy Notice
internally. MedQIA is required to abide by the terms of this associated privacy notice, available
within the company and publicly in the company website at www.medqia.com
and business conduct. This associated privacy notice will be updated accordingly, as applicable,
and will be made available publicly in the company website.
For further information related to this privacy notice, contact firstname.lastname@example.org
The effective date of this policy notice is 21-Dec-2022