Terms of Purchase

 Privacy Impact Assessment Statement of Work


This Statement of Work (“SOW”) is between Brightsquid Secure Communications Corp., and clinics that purchase our Privacy Impact Assessment (PIA) services (“Client”).

Scroll to review this SOW and click accept to continue your purchase.

1. Overview.

Brightsquid provides a variety of privacy and security services (the “Services”) to Custodians to assist with compliance with the Health Information Act of Alberta. This SOW describes the terms and conditions that will apply to Brightsquid’s Services to the Client.

2. Definitions.

2.1. “ Agreement ” means this Agreement executed by and between Brightsquid and the Client.
2.2. “ Privacy Impact Assessment (PIA) ” means the final report provided to the Client and the Office of the Information and Privacy Commissioner of Alberta (OIPC) by Brightsquid, in which Brightsquid describes that the Client (or Custodian) has considered the privacy risks of the  implemented system or practice and has taken reasonable steps to mitigate against those risks.
2.3. “ Protected Health Information (PHI) ” means individually identifying health information that is collected, used, and/or disclosed by the Client and can be linked to a specific individual.
2.4. “ Policies and Procedures ” means the policies and procedures that govern the access, storage, maintenance, transmission, or dealings with PHI.
2.5. “ SOW Effective Date ” means the later of the dates this SOW is executed by the Client and Brightsquid.
2.6. “ Vendor ” means a 3rd party organization contracted (not employed) by the Client to provide specified services. These include but are not limited to billing, cleaning, paper shredding, device/software support, internet/e-mail, and information technology services.

3. Responsibilities of the Client.

3.1. Client will name a representative who is responsible for working directly with Brightsquid to provide the necessary information to complete the PIA on the mutually agreed schedule.
3.2. The Services schedule will depend on Brightsquid's and Client’s availability. Scheduling for the completion of the PIA will be mutually agreed upon at the commencement of the services engagement.
3.3. Client will participate in remotely conducted conference calls and/or phone calls, as described in Schedule 1, to discuss Client vendors, systems, security controls, as well as Policies and Procedures.
3.4. Prior to conducting these calls, the Client will provide Brightsquid with information and documentation required to understand the Client’s systems. This information may include but is not limited to:

3.4.1. Answers to the PIA questionnaire;
3.4.2. Existing Policies and Procedures if available;
3.4.3. Information systems diagrams if available;
3.4.4. Existing list of software and hardware technologies used by the Client
3.4.5. Descriptions of the flow of data and information within the Client’s systems, and;
3.4.6. Other information requested by Brightsquid.

3.5. Client will provide Brightsquid with all necessary credentials, resources, and support enabling Brightsquid to perform the Services, including but not limited to actively assisting in acquiring information from Client vendors to support the completion of the PIA.
3.6. Brightsquid will provide the Client with templates, guidelines, and other assets that assist the Client in OIPC acceptance of the Client’s PIA. The client is solely responsible for implementing these assets to meet HIA compliance requirements.
3.7. Client will forward any communication received from the Office of the Information and Privacy Commissioner to Brightsquid in a timely manner.

4. Description of PIA Services.

4.1. Health Information Act Compliance Assessment.

4.1.1. Brightsquid and Client will participate in conference and/or phone calls
to understand the current state of the Client’s level of conformance with the applicable regulations of the Health Information Act. This encompasses an assessment of health information and security controls, including administrative, physical, and technical safeguards.
4.1.2. Client will complete the PIA Questionnaire at the commencement of the engagement and prior to assessment services beginning in earnest.
4.1.3. Client will provide information and participate in calls, as identified in the mutually agreed upon schedule.
4.1.4. Brightsquid will complete the PIA on behalf of the Client.
4.1.5. At the end of the assessment, Brightsquid will submit, on behalf of the Client, a PIA to the Office of the Information and Privacy Commissioner and provide the PIA to the Client.
4.1.6. After submitting the PIA to the Office of the Information and Privacy Commissioner: Brightsquid will directly respond to OIPC queries where possible; Brightsquid will engage Client, and Client will respond directly to Brightsquid when required; Brightsquid and Client will jointly engage Client's vendors when required, and; Client will escalate vendor non-conformance to regulatory bodies when required.

4.2. Health Information Act Compliance Assets.

4.2.1. Vendor Non-Disclosure Agreement (VNDA) Template. Brightsquid will provide Client with a template for Vendor Non-Disclosure Agreements, as required by the Health Information Act. The Client will be responsible for having its vendors sign the Agreement.
4.2.2. Confidentiality Template. Brightsquid will provide Client with a template for Confidentiality Agreements, as required by the HealthInformation Act. The Client will be responsible for having its staff sign the Agreement.
4.2.3. Information Manager Agreement (IMA) Template. Brightsquid will provide Client with a template for Information Manager Agreements, as required by the Health Information Act
4.2.4. Policies and Procedures. Brightsquid will provide Client with a set of Policies and Procedures that specifically address the applicable rules in the Health Information Act.
4.2.5. Templates. Brightsquid will provide templates for useful privacy-related forms (for example, disclaimers, privacy breach reporting form)

4.3. Health Information Act Training

4.3.1. Brightsquid’s services include Brightsquid scheduled in-person group training events in Calgary, Edmonton, Lethbridge, and Red Deer where all custodians, privacy officers, and staff of the Client can attend at no extra charge.
4.3.2. Brightsquid provides Privacy Training Manuals addressing the Clinic’s privacy officer, staff, and practitioners.

5. Other Products and Services.

5.1. Consultation. Client may purchase additional products and services which may include: on-site meetings, on-site compliance training, on-site auditing, business process optimization, vendor meetings, etc. These products and services are not part of the PIA services and must be purchased separately, comprising: (a) consultation fee and (b) nonrefundable travel expenses.

6. Payment.

6.1. Client agrees to pay Brightsquid before the start of the Services.

7. Protected Health Information

7.1. During the performance of the services, Brightsquid’ Products, Services, and personnel will only observe Client’s employees access of Client Data and PHI and will not access, maintain, store, collect, process, or transmit PHI themselves.
7.2. Client will not transfer any PHI to Brightsquid during the performance of the Services.
7.3. Any PHI viewed by Brightsquid, accidentally or otherwise, will be treated in accordance with the Health Information Act standard and returned or deleted before the termination of this SOW.
7.4. Brightsquid will not collect, use, or disclose any Client Data or PHI observed during the performance of the Services.

8. Term and Termination.

8.1. This SOW becomes effective on the SOW Effective Date and will terminate one year
after the SOW Effective Date.