Software Privacy Policy

1 Overview

The purpose of this document is to establish the privacy policies and practices for all software developed and owned by MolecuLight. These policies establish standards by which MolecuLight will develop and manage software to minimize any risks to customer-associated PHI (Patient Health Information) and unauthorized access to MolecuLight’s proprietary information.

2 Scope

All employees, contractors, consultants, temporary and other workers at MolecuLight must adhere to this policy. This policy applies to any software applications developed by MolecuLight. This policy applies to any servers that are owned, operated, or leased by MolecuLight or under a MolecuLight-owned internal network domain.

3 Policy

3.1 General Requirements

3.1.1 All personal devices used by MolecuLight employees must be password protected and require two-factor authentication.
3.1.2 Upon termination of a MolecuLight employee, all the employee’s credentials on any MolecuLight software shall be removed.
3.1.3 No MolecuLight employee is permitted to store PHI on personal devices.
3.1.4 All patients must be notified of the intended use of the software and their data prior to the use of data for commercial, research, and/or marketing purposes.
3.1.5 All users must be notified that MolecuLight maintains the software.
3.1.6 When a software application developed by MolecuLight integrates with an EMR (Electronic Medical Record), the application will not retain PHI in non-volatile memory for longer than is needed for the approved use(s) and as described in the terms and conditions approved by the user.
3.1.7 Whenever possible, a software application integrating with an EMR should directly authenticate with the EMR using the user’s EMR authentication credentials, as the preferred method of authentication.
3.1.8 In cases where a software application developed by MolecuLight stores PHI and images, the PHI and image meta data is immediately encrypted.
3.1.9 MolecuLight will allow users to comply with their own password policies by a) providing the ability to configure password restrictions on software that stores PHI or b) using the user’s EMR authentication credentials for EMR-integrated software.
3.1.10 Each employee must go through an industry-accepted Health Insurance Portability and Accountability (HIPAA). training program before handling any PHI as an employee of MolecuLight Inc.
3.1.11 Access to PHI stored by MolecuLight will be granted only for employees that require access for work-related purposes. Access to PHI will be granted on an individual basis.
3.1.12 MolecuLight complies with regulatory reporting timeframes to address and resolve privacy concerns.
3.1.13 MolecuLight aims to address privacy issues within 72 hours and notifies customers of any issues within 2-3 weeks.
3.1.14 MolecuLight aims to resolve critical privacy issues within 4 weeks of the initial complaint
3.1.15 Any privacy-related concerns may be directed to Desmond Hirson (DHirson@moleculight.com, Chief Operating Officer, MolecuLight).

PN 1887 Rev. 1.0

This statement was last updated on July 30, 2020.
Copyright © 2020 MolecuLight Inc.