eFiche Privacy Policy

Effective Date: October 3, 2024

1. Introduction

At eFiche Ltd. ("eFiche," "we," "us," or "our"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you interact with our Electronic Medical Record (EMR) system, including our web and mobile applications, and any related services (collectively, the "Services"). It also informs you of your rights regarding your personal data and how you can exercise those rights.

By using the Services, you consent to the practices outlined in this Privacy Policy.

2. Information We Collect

We collect information that identifies, relates to, describes, or could be reasonably linked, directly or indirectly, with you or your household ("personal information"). The types of personal information we collect include:

a. Personal Information You Provide
  • Demographic Information: Name, date of birth, gender, contact information (address, phone number, email)
  • Health Information: Medical history, diagnoses, treatments, medications, lab results
  • Insurance Information: Insurance provider, policy numbers, claims
  • Payment Information: Billing and payment details
  • Account Credentials: Username, password, and authentication details
  • Other Information: Any other data you provide to us voluntarily, such as feedback, inquiries, or survey responses
b. Information Collected Automatically
  • Device Information: IP address, device type, operating system, browser type, and other system information
  • Usage Data: Pages visited, time spent on the platform, links clicked, and features used
  • Location Data: Geographic location when you enable location services
  • Cookies & Tracking Technologies: We may use cookies, beacons, and other tracking technologies to enhance your experience and collect information on how our Services are used
c. Information from Third Parties
  • Healthcare Providers: Information from doctors, clinics, pharmacies, and other healthcare entities that use our Services
  • Third-Party Integrations: Data from national health systems, laboratories, or third-party integration partners

3. How We Use Your Information

  • Service Delivery: To operate, maintain, and provide the Services, including processing your information for patient care, medical consultations, and health data management.
  • Improvement & Personalization: To enhance our Services, customize user experiences, and develop new features.
  • Communication: To send you important updates, notifications, and other relevant information about your account or our Services.
  • Analytics & Research: To analyze usage data, identify trends, and conduct research aimed at improving our Services and the overall user experience.
  • Security: To detect and prevent fraud, unauthorized access, and ensure the safety of your personal information.
  • Legal Compliance: To comply with legal obligations, respond to lawful requests, and protect our legal rights.

4. Disclosure of Your Information

We may disclose your personal information under the following circumstances:

a. With Your Consent:

With your authorization, we may share your health information with other medical professionals involved in your care.

b. For Operational Purposes:

We may share information with third-party service providers who assist us in providing, maintaining, and improving the Services (e.g., cloud storage providers, analytics providers).

c. For Business Transactions:

We may share information with trusted business partners who offer services that integrate with or complement our own, provided it enhances the quality of care.

d. To Comply with Legal Requirements:

If required by law, regulation, or legal process, we may disclose personal information to governmental or regulatory bodies, courts, or law enforcement agencies.

5. Data Security

We are committed to protecting your personal information using industry-standard technical, administrative, and physical safeguards. While we take reasonable measures to secure your data, no system can guarantee absolute security. We encourage you to take appropriate steps to protect your account credentials and devices.

6. Your Privacy Rights

You have certain rights with respect to your personal information. These include:

  • Access: You have the right to request access to the personal information we hold about you.
  • Correction: You can request the correction of inaccurate or incomplete information.
  • Deletion: You have the right to request deletion of your personal information under certain circumstances.
  • Restriction & Objection: You can object to, or request restriction of, our processing of your personal information.
  • Data Portability: You may request a copy of your personal data in a structured, machine-readable format.

To exercise any of these rights, please contact us using the details provided in the "Contact Us" section below.

7. Data Retention

We will retain your personal information for as long as necessary to provide the Services or as required by applicable laws and regulations. Upon request, we will delete or anonymize your data unless we are required to retain it to comply with legal obligations.

8. Children’s Privacy

Our Services are not intended for children under 13 years of age. We do not knowingly collect or process personal information from children under 13 without parental consent. If we become aware that we have inadvertently collected such data, we will take steps to delete it as quickly as possible.

9. International Data Transfers

If you are accessing the Services from outside of Rwanda, your personal information may be transferred to, stored, and processed in Rwanda or other jurisdictions where our servers and service providers are located. By using our Services, you consent to any such transfer.

10. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in legal, technical, or business developments. Any changes will be posted on our website, and if the changes are significant, we will provide a more prominent notice (e.g., by email or through the Services).

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

eFiche Ltd.
Bodifa Mercy House, 6th Floor, KN 5 Rd, Kigali
Email: privacy@efiche.africa

Ensuring Privacy and Protection of Personal Health Information (PHI)

eFiche ensures the privacy and protection of Personal Health Information (PHI) through a multi-layered security framework that complies with both national and international standards for data privacy and security. As a registered data processor with the National Cyber Security Agency (NCSA), eFiche adheres to stringent cybersecurity protocols that ensure the highest levels of protection for sensitive health information. Below are the key measures in place:

1. Data Encryption

In-Transit Encryption: eFiche uses Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols to encrypt PHI while it is being transmitted between users and servers. This ensures that sensitive data is protected from interception during its transmission over the internet.

At-Rest Encryption: All PHI stored within eFiche’s databases is encrypted using strong encryption algorithms. This ensures that even if unauthorized parties gain access to the physical storage, they would not be able to read the information without decryption keys.

2. Access Controls

Role-Based Access Control (RBAC): eFiche enforces strict access controls, ensuring that only authorized users, such as healthcare professionals, can access the specific PHI necessary for their roles. This limits exposure to sensitive information.

Multi-Factor Authentication (MFA): Users are required to verify their identity using multiple methods (e.g., passwords and one-time codes) before gaining access to sensitive health data. This significantly reduces the risk of unauthorized access.

3. Data Anonymization and Minimization

Anonymization: eFiche anonymizes personal data whenever possible, especially for use in research, analytics, or reporting, to ensure that no individual can be directly identified from the data.

Minimization: eFiche collects only the necessary information needed for the specific purpose of providing healthcare services. Unnecessary data is either excluded or anonymized, ensuring minimal exposure of personal data.

4. Audit Logs and Monitoring

Comprehensive Logging: All access to PHI is logged, creating a detailed audit trail that tracks who accessed the data, when, and for what purpose. This ensures accountability and transparency in data handling.

Continuous Monitoring: The system continuously monitors for suspicious activity, such as unauthorized access attempts or anomalies in usage patterns. If any potential breach is detected, alerts are triggered, and the security team initiates an investigation.

5. Compliance with Local and International Standards

As a registered data processor with the NCSA, eFiche complies with local Rwandan data protection regulations, including those governing the protection of Personal Health Information. eFiche also aligns with international standards like HIPAA (Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation), ensuring compliance with global best practices in data security.

6. Third-Party and Integration Security

When sharing data with external entities such as healthcare providers or laboratories, or integrating with third-party systems like national health information exchanges, eFiche ensures that these partners meet the same security standards and have appropriate data-sharing agreements in place. This mitigates risks when PHI crosses organizational boundaries.

7. Data Storage and Retention Policies

Data Retention: eFiche only retains PHI for as long as necessary to fulfill the purposes for which it was collected or as required by law. After that, data is securely deleted or anonymized.

Backup Protection: eFiche ensures that all backups are encrypted and securely stored, making sure that data remains protected even in disaster recovery scenarios.

8. User Rights and Consent Management

Patient Control: Patients have control over their PHI through explicit consent mechanisms. eFiche allows patients to manage how their data is shared with healthcare providers and external parties, ensuring that no data is disclosed without their permission.

User Rights: In compliance with data protection laws, patients have the right to access, correct, or delete their personal data, and can request restrictions on how their PHI is used.

9. Regular Security Audits and Vulnerability Assessments

eFiche undergoes regular internal and external security audits to identify and mitigate vulnerabilities. Periodic penetration testing is also conducted to ensure the system remains resilient to new and evolving threats.

10. Incident Response and Breach Notification

In the event of a data breach, eFiche has a well-defined incident response plan in place. This plan includes immediate containment of the breach, investigation, mitigation of any damage, and timely notification to affected individuals and regulatory bodies, as required by law.

By implementing these comprehensive measures, eFiche ensures that Personal Health Information (PHI) is kept secure, private, and only accessible by authorized individuals. This helps build trust with healthcare providers and patients while aligning with both legal obligations and industry best practices for data protection.