Context And Scope
Voiant provides radiology decision support and clinical trial services to healthcare providers, pharmaceutical/ biotechnology companies, and other healthcare-related entities. In this role, Voiant receives and processes data containing private information, including Personally Identifiable Information (PII) and Protected Health Information (PHI).
Voiant does not itself collect PII or PHI, but rather Voiant acts upon data received from its customers‒namely sponsors, clients, and vendors‒to perform data processing activities, as documented by contract and following established procedures.
This notice outlines Voiant’s approach to maintaining the integrity, privacy and security of the PII and PHI under the requirements of:
- United States Health Information Portability Accountability Act (US HIPAA) under which Voiant operates as a “business associate”
- European Union’s General Data Protection Regulation (EU GDPR) under which Voiant operates as a “data processor”
This notice also addresses the “Rights of the Individual” under US HIPAA and EU GDPR.
Private Information Use And Further Disclosure
Voiant’s uses PII and PHI on behalf of its customers, who are responsible for obtaining consent from the individual who is the subject of the private information. Customer’s contracts with their respective parties govern Voiant’s use of the provided PII and PHI, restricting use to the specific services.
Voiant collects personal data and sensitive personal data of employees, workers, contractors, and applicants seeking employment with Voiant; Voiant processes all staff information for human resource purposes, including payroll, tax, and performance reviews and assessments. Voiant also collects personal data and information from applicants who apply to recruitment offers and positions. This information may include contact details, professional qualifications, previous professional experience, references, and relevant background checks. External advisors’ and consultants’ information is collected and processed in the same manner and in accordance with Voiant processes.
Voiant internal policies, procedures and semi-automated processes restrict access to the PII and PHI to only those company personnel who require access to complete the contracted tasks. Voiant personnel who are authorized to process the PII and PHI as part of performing their job are committed to maintaining the privacy of the information.
Voiant does not distribute or disclose the PII or PHI unless required in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. Voiant does not sell, rent, share, or use the (identified or de-identified) PHI or PII for profiling, criminal offense/ conviction processing, or in any manner that infringes an individual’s right to privacy.
Voiant maintains records of data processing activities. The PII and PHI is securely stored in the Voiant’s system as authorized per customer contract with Voiant.
How Private Information At Voiant Is Protected
To address the variety of regulatory regimes, Voiant focuses on industry best practices for achieving data integrity, ensuring authenticity, protecting privacy, and building cybersecurity. Voiant has established mechanisms for user authentication and authorization, workstation management, anti-malware defenses, intrusion detection and prevention on networks and servers, physical security, and operational monitoring to protect the PII and PHI.
Organizational policies and procedures reaffirm Voiant personnel responsibility for the security and privacy of the PII and PHI. Additionally, change management processes govern the development of new software capabilities, as well as the revision of existing software features to avoid vulnerabilities or exposure of the PII and PHI.
Voiant does not engage with third-party data controllers or data processors without authorization from the customer. Voiant has established procedures for qualification and oversight of any third-party to which Voiant entrusts access to the PII or PHI.
In the event of a breach or non-compliance incident, customers are notified promptly as mandated by contractual obligations and regulatory requirements. Voiant’s customers retain the responsibility of notifying the affected individuals and reporting to appropriate regulatory or government agencies.
Rights Of The Individual
Any individual who is the subject of the private information has the right to request access, require deletion, restrict use, and request amendment or correction of their information. These individuals have also the right to request receipt of communication notices and disclosures related to their private information. Given that Voiant receives the PII and PHI on behalf of its customers in performing its contractual obligations, the requesting individual must work through Voiant’s customer to exercise these rights. Voiant promptly complies with all such requests, without undue delay, from its customers made on behalf of the individual in question.
Availability Of The Voiant Privacy Notice
Effective Date (10-Nov-2023)