26. Data Transfer Impact Assessment

The purpose of this policy is to assess the impact of data transfers that may occur across international borders, covering the types / catagories of data transferred, the mechanism used to transfer data, the purpose of the data transfer, any potential risks with the data transfer, rights of data subjects, incident management and ongoing review of international data transfers.

Luma Health reviews this policy on at least an annual basis or whenever there is a material change.

26.1 Data Mapping

26.1.1 Catagories of Data Transferred

  • Scheduled Appointments
  • Open Slots
  • New Appointments
  • Existing Appointment Statuses
  • Patients
  • Patient Demographics
  • Patients by Various Identifiers (Name, Date of Birth, Gender, etc)
  • Patient Insurance
  • Patient Balances
  • Patient Clinical Data (USCDI data set)
  • Patient diagnosis
  • Patient procedures
  • Patient referrals
  • Patient recalls
  • Patient orders
  • Patient documents (PDFs)
  • Locations/Facilities/Departments
  • Providers/Practitioners
  • Appointment Types / Visit Types

26.1.2 Purpose of Data Transfer

Data is transferred to / processed by Luma Health in order to provide contracted services to it’s customers only

Contractural performance and Legitimate Business Interest

26.1.4 Data Controller

Luma Health’s customers act as the Data Controller(s)

26.1.5 Data Processor

Luma Health acts as a Data Processor along with Luma Health’s subprocessors. Refer to Luma’s Subprocessor list for a comprehensive list of Third-Party subprocessors

26.1.6 Countries and Juristictions Involved

Data from across the world may be transferred to the United States of America for processing by Luma Health

26.2 Data Transfer Mechanism

  • Luma Health relies on Standard Contractual Clauses (SCCs) as the transfer mechanism for personal data
  • SCC’s ensure an adequate level of data protection by contractually binding the Data Contoller (Luma Health Customers) and the Data Processor (Luma Health) to comply with Data Privacy requirements.

26.3 Necessity and Proportionality

  • Data transfers are nessessary to fulfill Luma Health’s contractural obligations to it’s customers
  • Luma Health’s systems are architected to only transfer and process the minimum amount of data required to provide contracted services to it’s customers, ensuring proportionality

26.4 Risk Assessment

26.4.1 Potential Risks

  • Unauthorized access to data during transfer or processing
  • Unauthorized disclosure of data during transfer or processing

26.4.2 Likelihood and Severity of Risks

  • The likelihood of any Potential Risks being realized is low, due to strong organizational controls Luma Health has in place
  • The severity of any Potential Risks being realized is High, due to the sensitive nature of the data Luma Health could be transferring and/or processing

26.5 Safeguards and Measures

Luma Health is ISO 27001:2022 and HITRUST CSF r2 Certified, and SOC 2 Type II Attested. As such Luma Health has a fully documented set of Information Security and Data Privacy Policies, Procedures and Controls that are independently audited by a third party no less than annually to ensure they are operating effectively

26.5.1 Technical Safeguards

  • Data is encrypted both in transit and at rest using industry standard protocols such as AES-256 and TLS 1.2. Data is not transferred or stored in an unencrypted state
  • Fully documented Access Control policies and procedures along with enforced centrally managed strong authentication methods limit access to data to a limited set of individuals with a defined business need
  • Data minimization by design to ensure that only the minimum amount of data required to provide contracted services is transferred and processed

26.5.2 Organizational Safeguards

  • Continuous Employee Training and Awareness program ensuring Luma Health employees are aware of Data Protection best practices and their obligations when working with personal data
  • Fully Documented Policies and Procedures including but not limited to Incident Management and Data Breach Notification
  • Appointment of a Data Privacy Officer (DPO) and dedicated Security and Compliance team to oversee Data Privacy Compliance efforts

26.5.3 Contractural Safeguards

  • Contractural agreements with subprocessors stipulating Data Privacy Compliance obligations
  • Provisions for Data Subjects, including the right to access, rectify, or erase personal data.

26.6 Data Subject Rights

  • Data subjects are informed about Data Transfers, Data Processing and their rights via Luma Health’s Privacy Policy and Terms of Service
  • Policies and Procedures to respond to Data Subject Access Requests in a timely manner.
  • Contact Information for relevant interested parties at Luma Health is available publicly

26.7 Incident Management

  • Luma Health has fully documented Incident Management, Privacy Incident Managment and Security Incident Management policies and procedures that follow both ISO 27001:2022 and HITRUST CSF r2 frameworks
  • Luma Health has policies and procedures in place to provide required notifications to required individuals and interested parties in required timeframes
  • Luma Health tests it’s Incident Management procedures no less than anually or whenever there is a material change

26.8 Ongoing Monitoring and Review

  • Luma Health conducts regular internal audits in addition to regular audits of it’s subprocessors to ensure ongoiong compliance with Data Privacy regulations.
  • Luma Health reviews the effectivness of this policy and associated policies and procedures no less than annually or whenever there is a material change

This Transfer Impact Assessment demonstrates Luma’s commitment to ensuring the lawful and secure transfer of personal data in compliance with Data Privacy requirements. The assessment will be regularly updated to reflect any changes in Data Transfer and/or Processing activities or regulatory requirements