1. PURPOSE

Fionet Rapid Response Group Inc. (“Fio”, “Fionet”, “we”, “our”, or “us”) is committed to protecting the privacy, confidentiality, integrity, availability, and security of Personal Health Information (“PHI”) and other sensitive personal data processed through Fionet platforms, software products, implementations, services, integrations, analytics systems, and operational support activities.

This Health Information Privacy Policy establishes the principles, governance framework, operational safeguards, and accountability mechanisms governing the collection, access, use, disclosure, storage, transfer, retention, de-identification, and disposal of PHI processed through Fionet systems.

This policy reflects Fionet’s operational reality as a provider of:

• Electronic Community Health Information Systems (eCHIS)

• Health Facility Electronic Medical Record (EMR) systems

• Digital disease surveillance systems

• Campaign management and vaccination tracking systems

• Laboratory and diagnostic data systems

• Clinical decision support systems

• Health analytics and reporting platforms

• Mobile health applications and offline-first healthcare systems

• Health interoperability and integration services

• Population health and public health management systems

This policy is intended to align with applicable privacy, data protection, cybersecurity, public health, and health information laws and regulations in jurisdictions where Fio operates, including but not limited to:

• Ontario Personal Health Information Protection Act (PHIPA)

• HIPAA and related U.S. healthcare privacy requirements where applicable

• GDPR and related EU privacy regulations where applicable

• Country-specific health information and data residency regulations

• National Ministry of Health requirements

• Contractual and donor-specific data governance obligations

2. SCOPE

This policy applies to:

• All PHI and health-related personal data processed through Fionet products and services

• Data collected directly by Fionet or indirectly through customers and implementing partners

• Data processed in cloud-hosted, hybrid, and on-premise deployments

• Online and offline data collection workflows

• Mobile device data collection and synchronization

• Integrated systems and third-party interoperability exchanges

• Support, maintenance, analytics, implementation, and operational activities

• Employees, contractors, consultants, agents, temporary staff, and subprocesses

This policy applies globally unless superseded by stricter local legal or contractual obligations.

This policy does not apply to:

• Publicly available information not processed through Fionet systems

• Internal employee HR records unrelated to healthcare delivery

• Purely anonymized statistical datasets that cannot reasonably identify individuals

3. DEFINITIONS

3.1 Personal Health Information (PHI)

“Personal Health Information” means identifying information relating to an individual’s physical or mental health, healthcare status, healthcare delivery, diagnosis, treatment, medications, laboratory results, vaccination status, reproductive health, disease exposure, referrals, clinical history, public health interactions, biometric or physiological indicators, health identifiers, or healthcare service utilization.

PHI includes information in oral, written, electronic, photographic, biometric, scanned, structured, or unstructured form.

3.2 Personally Identifiable Information (PII)

Information that identifies or could reasonably identify an individual, either directly or indirectly.

3.3 De-identified Information

Information processed to remove or minimize identifying elements such that the risk of re-identification is substantially reduced using reasonable technical and organizational safeguards.

3.4 Health Care

Any health-related observation, examination, diagnosis, treatment, referral, care activity, public health intervention, disease prevention activity, vaccination effort, laboratory procedure, medication dispensing activity, or healthcare service.

3.5 Data Controller / Health Information Custodian

The Ministry of Health, healthcare provider, implementing partner, customer, or organization legally responsible for determining the purposes and means of processing PHI.

3.6 Data Processor / Service Provider

Fionet may act as a data processor, service provider, or agent on behalf of a healthcare provider, Ministry of Health, donor-funded program, NGO, or other authorized data controller.

3.7 Minimum Necessary Principle

The principle that access to PHI shall be limited to the minimum amount necessary to perform authorized functions.

3.8 Security Incident

Any actual or suspected event involving unauthorized access, use, disclosure, modification, destruction, loss, unavailability, corruption, or compromise of systems or data.

4. PRIVACY PRINCIPLES

Fionet’s handling of PHI is guided by the following principles:

1. Lawfulness and transparency

2. Purpose limitation

3. Data minimization

4. Accuracy and quality

5. Security and confidentiality

6. Accountability and auditability

7. Least privilege access

8. Storage limitation

9. Integrity and resilience

10. Privacy by design and by default

11. Responsible analytics and de-identification

12. Respect for patient rights and applicable consent requirements

5. ROLE OF FIONET

Depending on the implementation model, Fionet may operate as:

• A software platform provider

• A hosted infrastructure provider

• A managed services provider

• A health information processor

• A subcontracted technology partner

• A systems integrator

• A support and maintenance provider

• A public health reporting facilitator

• A data migration and interoperability provider

In most implementations, the Ministry of Health, healthcare provider, or implementing organization remains the primary custodian or controller of PHI.

Fionet processes PHI only:

• For authorized healthcare delivery and operational purposes

• Under contractual authorization

• Under documented customer instructions

• As required by law

• For security, support, and system integrity purposes

• For approved public health or reporting obligations

6. PERSONAL HEALTH INFORMATION WE COLLECT

The categories of PHI processed through Fionet systems may include:

6.1 Patient Demographic Information

• Full name

• Date of birth or estimated age

• Sex/gender

• Address or settlement information

• Phone number

• National identifiers

• Health insurance identifiers

• National health IDs

• Family and household linkage information

• Caregiver information

• GPS or geolocation data where operationally necessary

• Biometrics or unique identifiers, where permitted

6.2 Clinical Information

• Symptoms and complaints

• Diagnoses

• Clinical notes

• Medications and prescriptions

• Allergies

• Immunization records

• Pregnancy and maternal health information

• Newborn and child health records

• Laboratory orders and results

• Vital signs and physiological measurements

• HIV, TB, malaria, and infectious disease information

• Referral records

• Clinical images and attachments

• Treatment outcomes

• Disease surveillance information

• Community screening records

• Risk assessments

6.3 Public Health and Campaign Information

• Vaccination campaign participation

• Enumeration and registration information

• Household visit records

• Settlement-level operational information

• Disease outbreak tracking data

• Contact tracing or exposure data where legally authorized

• Population health statistics

• Campaign team operational records

6.4 Operational and System Information

• Device identifiers

• Application logs

• User access logs

• Audit trails

• IP addresses

• Synchronization records

• Security event records

• Offline data synchronization metadata

• Session timestamps

• User activity records

6.5 Workforce and Provider Information

• Healthcare worker identifiers

• Professional credentials

• Facility assignments

• User roles and permissions

• Operational performance metrics

7. SOURCES OF INFORMATION

PHI may be collected from:

• Patients and caregivers

• Healthcare workers

• Community health workers

• Facilities and laboratories

• Ministries of Health

• Public health agencies

• Mobile applications and medical devices

• Integrated third-party systems

• Customer-operated workflows

• Partner organizations

• Public health campaigns and outreach activities

In many deployments, PHI is collected primarily by healthcare providers or Ministries of Health using Fionet systems.

8. LEGAL BASIS AND CONSENT

Fionet processes PHI only where there is a valid legal basis, including:

• Patient consent

• Healthcare delivery requirements

• Public health mandates

• Legal or regulatory obligations

• Contractual authorization from healthcare custodians

• Vital interests of individuals

• Legitimate healthcare operations where legally permitted

Where required by applicable law:

• Consent shall be informed and appropriately documented

• Consent withdrawal mechanisms shall be supported where operationally feasible

• Processing limitations associated with withdrawn consent shall be respected unless overridden by law or public health requirements

Certain public health, disease surveillance, vaccination, and outbreak management activities may be conducted under statutory authority without explicit patient consent where permitted by law.

9. PURPOSES OF PROCESSING

PHI may be processed for the following purposes:

9.1 Healthcare Delivery

• Patient registration and identification

• Clinical documentation

• Treatment planning

• Care coordination

• Referral management

• Diagnostic workflows

• Medication management

• Maternal and child health management

• Chronic disease management

• Emergency response coordination

9.2 Public Health Operations

• Immunization tracking

• Disease surveillance

• Outbreak response

• Population health management

• Epidemiological reporting

• Campaign execution and monitoring

• Health program evaluation

9.3 System Operations

• User authentication

• System monitoring

• Troubleshooting

• Technical support

• Synchronization management

• Backup and disaster recovery

• Infrastructure maintenance

• Performance optimization

9.4 Security and Compliance

• Fraud prevention

• Security investigations

• Access monitoring

• Audit logging

• Compliance verification

• Incident response

• Regulatory reporting

9.5 Analytics and Product Improvement

Where contractually and legally permitted, Fionet may use de-identified or aggregated information for:

• System improvement

• Workflow optimization

• Health analytics

• Product enhancement

• Capacity planning

• Operational reporting

• Public health insights

• Research and validation activities

Fionet does not use identifiable PHI for marketing directed at patients.

10. DE-IDENTIFICATION AND AGGREGATED DATA

Fionet may create de-identified, anonymized, pseudonymized, or aggregated datasets from PHI where legally and contractually permitted.

De-identification measures may include removal, masking, tokenization, aggregation, suppression, or transformation of:

• Names

• National identifiers

• Phone numbers

• Addresses

• Dates of birth

• Exact GPS coordinates

• Device identifiers

• Facility-specific identifiers

• Direct and indirect identifiers

De-identified datasets may be used for:

• Public health analytics

• Epidemiological analysis

• Product improvement

• System validation

• Statistical reporting

• Research support

• Operational optimization

• Donor and program reporting

Fionet shall implement reasonable safeguards to reduce re-identification risk.

11. DISCLOSURE OF PERSONAL HEALTH INFORMATION

Fionet does not sell PHI.

PHI may only be disclosed:

• To authorized healthcare providers

• To authorized Ministries of Health

• To approved implementing partners

• To authorized public health authorities

• To infrastructure or support subprocessors under confidentiality obligations

• Under lawful court orders or legal obligations

• During emergencies or public health events where legally authorized

• As directed by the customer or data controller

All disclosures shall follow the minimum necessary principle.

Where feasible and legally permissible, disclosures shall be logged and auditable.

12. DATA RESIDENCY AND CROSS-BORDER DATA TRANSFERS

Fionet implementations are designed to support country-specific data residency requirements.

In the majority of deployments, PHI and healthcare data are hosted within the respective country’s approved infrastructure environment under the authority or direction of the applicable Ministry of Health, government agency, or authorized healthcare institution.

Depending on country requirements and implementation architecture, systems may be hosted:

• On Ministry of Health-managed on-premise infrastructure

• Within country-approved government data centers

• Within in-country cloud environments

• Within customer-controlled infrastructure environments

Fionet does not routinely transfer production PHI outside the country of origin.

Fionet personnel may remotely access systems for authorized support, maintenance, troubleshooting, upgrade, deployment, or operational activities only through customer-authorized and secured access mechanisms, including Ministry of Health-provided VPN connections, bastion hosts, controlled remote access infrastructure, or other approved secure connectivity methods.

Remote access activities are restricted to authorized personnel and are governed by:

• Role-based access controls

• Authentication requirements

• Audit logging

• Confidentiality obligations

• Customer authorization processes

• Security monitoring procedures

Fionet shall not replicate, export, or transfer production PHI outside the hosting jurisdiction unless:

• Explicitly authorized by the customer or Ministry of Health

• Required for approved disaster recovery or business continuity operations

• Required by law

• Permitted under applicable contracts and regulations

• Necessary for approved interoperability or reporting obligations

Where cross-border access or transfers are legally permitted and operationally necessary, Fionet shall implement appropriate safeguards including:

• Contractual protections

• Encryption

• Access restrictions

• Secure remote access controls

• Logging and monitoring

• Data processing agreements

13. CLOUD HOSTING AND INFRASTRUCTURE

Fionet systems may be deployed:

• In customer-owned infrastructure

• In Fionet-managed infrastructure

• In approved public cloud environments

• In hybrid hosting environments

• In sovereign or country-specific hosting environments

Infrastructure providers and subprocessors handling PHI must be subject to:

• Security reviews

• Confidentiality obligations

• Access restrictions

• Contractual data protection obligations

• Incident reporting requirements

14. INFORMATION SECURITY SAFEGUARDS

Fionet maintains administrative, technical, physical, and organizational safeguards designed to protect PHI.

Security controls may include:

14.1 Administrative Controls

• Confidentiality agreements

• Security awareness training

• Role-based access management

• Background screening where permitted

• Incident response procedures

• Vendor risk management

• Change management controls

• Acceptable use policies

14.2 Technical Controls

• Encryption in transit

• Encryption at rest where supported

• Authentication controls

• Multi-factor authentication where implemented

• Role-based authorization

• Audit logging

• Intrusion detection and monitoring

• Backup protections

• Malware protection

• Secure APIs and integration controls

• Session management controls

• Mobile device protections

14.3 Physical Controls

• Secure facilities

• Restricted server access

• Environmental protections

• Device management procedures

14.4 Operational Safeguards

• Least privilege access

• Segregation of duties

• Periodic access reviews

• Controlled production access

• Secure software development practices

• Vulnerability management

• Patch management

• Disaster recovery planning

• Business continuity planning

15. OFFLINE-FIRST AND MOBILE HEALTH SYSTEMS

Many Fionet implementations support offline healthcare delivery workflows.

Where offline functionality exists:

• Data may temporarily reside on mobile devices until synchronization occurs

• Mobile devices should be physically secured by authorized users

• Device-level authentication should be enforced where supported

• Synchronization should occur through secured channels

• Lost or stolen devices should be reported immediately

• Remote disablement or data removal mechanisms may be used where technically feasible

16. ACCESS CONTROL AND USER RESPONSIBILITIES

Access to PHI is restricted to authorized users with legitimate operational need.

Users of Fionet systems must:

• Protect login credentials

• Avoid credential sharing

• Access only information necessary for their duties

• Report suspected unauthorized access

• Follow customer and Ministry of Health policies

• Complete required security training

Fionet reserves the right to monitor and audit system access and usage for compliance and security purposes.

17. AUDIT LOGGING AND MONITORING

Fionet systems may maintain audit logs recording:

• User logins

• Record access

• Data creation and modification

• Administrative actions

• Synchronization events

• Security events

• Export activities

• API activity

Audit logs may be reviewed for:

• Security monitoring

• Incident investigations

• Compliance reviews

• Customer reporting

• Fraud detection

• Operational troubleshooting

18. RETENTION AND DISPOSAL

PHI shall be retained only for as long as necessary to:

• Deliver healthcare services

• Meet contractual obligations

• Support public health operations

• Comply with legal requirements

• Meet audit and regulatory obligations

Retention periods may vary by country, implementation, customer contract, donor requirement, or applicable law.

Upon expiration of retention requirements, PHI shall be securely:

• Deleted

• Destroyed

• Archived

• Anonymized

• Returned to the customer

Disposal methods shall be appropriate to the sensitivity and format of the data.

19. INCIDENT RESPONSE AND BREACH MANAGEMENT

Fionet maintains incident response procedures for actual or suspected privacy or security incidents.

Incident response activities may include:

• Containment

• Investigation

• Risk assessment

• Recovery

• Notification

• Corrective action

• Regulatory reporting where required

• Root cause analysis

Where required by law or contract, affected customers, authorities, or individuals shall be notified within applicable timelines.

20. ACCESS TO PERSONAL HEALTH INFORMATION

Subject to applicable law and contractual limitations, individuals may request access to PHI held by Fionet or its customers.

Where Fionet acts solely as a processor or service provider, requests may be redirected to the appropriate healthcare provider or Ministry of Health.

Access requests may be denied or limited where:

• Disclosure is prohibited by law

• The requester cannot be adequately verified

• Disclosure may endanger safety

• Disclosure may interfere with investigations

• The information contains third-party confidential information

• Legal privilege applies

• The request is abusive, frivolous, or excessive

Reasonable efforts shall be made to respond within applicable legal timelines.

21. CORRECTION OF PERSONAL HEALTH INFORMATION

Individuals may request correction of inaccurate or incomplete PHI.

Where appropriate:

• Corrections shall be applied

• Amendments shall be logged

• Relevant parties may be notified

• Disputed information may be annotated

Certain historical clinical records may be preserved without deletion to maintain clinical integrity and auditability.

22. CHILDREN AND VULNERABLE POPULATIONS

Fionet systems frequently support maternal, newborn, child health, immunization, and community health programs.

Additional safeguards may apply to:

• Children

• Pregnant individuals

• Refugees and displaced populations

• Vulnerable communities

• Sensitive infectious disease programs

Access to sensitive records may be additionally restricted based on program requirements or local law.

23. THIRD-PARTY PROCESSORS AND SUBPROCESSORS

Fionet may engage approved subprocessors or service providers for:

• Cloud hosting

• Data backup

• Monitoring

• Technical support

• Messaging services

• Infrastructure operations

• Security services

• Analytics support

Subprocessors handling PHI must:

• Be contractually bound by confidentiality obligations

• Maintain appropriate security safeguards

• Process data only for authorized purposes

• Notify Fionet of relevant incidents where required

24. INTEROPERABILITY AND SYSTEM INTEGRATIONS

Fionet systems may exchange data with:

• National HMIS platforms

• EMRs

• Laboratory systems

• Logistics systems

• Identity systems

• Surveillance platforms

• DHIS2 and related systems

• Government registries

• Third-party APIs

Such integrations shall be governed through:

• Access controls

• Secure communication protocols

• API authentication

• Customer authorization

• Data sharing agreements where applicable

25. PRODUCT DEVELOPMENT AND TESTING

Fionet shall avoid using production PHI in non-production environments unless:

• Explicitly authorized

• Operationally necessary

• Adequately protected

• Access restricted

Where possible, testing and development environments shall use:

• Synthetic data

• Masked data

• De-identified data

26. TRAINING AND AWARENESS

Fionet personnel with access to PHI shall receive training appropriate to their role, including:

• Privacy obligations

• Security responsibilities

• Incident reporting

• Acceptable use

• Access management

• Data handling requirements

• Secure development practices where applicable

Training may be refreshed periodically.

27. PRIVACY BY DESIGN

Fionet incorporates privacy and security considerations into system design and operational processes.

This may include:

• Role-based permissions

• Configurable access restrictions

• Auditability

• Encryption support

• Secure synchronization

• Configurable retention controls

• Data minimization approaches

• Segregation of environments

• API security controls

28. COMPLIANCE, AUDITS, AND GOVERNANCE

Fionet may conduct:

• Internal privacy reviews

• Security assessments

• Access reviews

• Compliance monitoring

• Vendor assessments

• Risk assessments

• Penetration testing

• Operational audits

Customers may request reasonable compliance documentation subject to confidentiality and security limitations.

29. PRIVACY OFFICER

Fionet shall maintain a designated Privacy Officer responsible for:

• Privacy governance

• Policy oversight

• Incident coordination

• Regulatory liaison

• Complaint management

• Access and correction request coordination

• Privacy training oversight

• Data protection reviews

Privacy-related inquiries may be directed to:

Privacy Officer Email: privacyofficer@fio.com

30. COMPLAINTS AND REGULATORY RIGHTS

Individuals may submit complaints regarding:

• Privacy practices

• Unauthorized access

• Disclosure concerns

• Data correction disputes

• Security concerns

• Access denials

Fionet shall investigate complaints reasonably and in good faith.

Where applicable, individuals may also contact relevant regulatory authorities or data protection agencies.

31. LIMITATIONS

While Fionet employs reasonable safeguards designed to protect PHI, no system, network, mobile device, or transmission mechanism can be guaranteed to be completely secure.

Customers and users also share responsibility for:

• Appropriate device security

• Credential management

• Local operational controls

• Physical protection of equipment

• Compliance with applicable procedures

32. POLICY REVIEW AND AMENDMENTS

This policy shall be reviewed periodically and may be updated to reflect:

• Regulatory changes

• Product evolution

• Operational changes

• Security requirements

• Customer obligations

• Emerging risks

Updated versions shall supersede previous versions upon approval and publication.