AUTHORIZATION:

 

Contact Authorization:                                                                                   

·       IMS, Inc. is committed to protecting and respecting your privacy, and we’ll only use your information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products, services, and other content that may be of interest to you.

 

Data Storage Authorization:

• To provide you with the service requested, we may need to store and process your business data, including but not limited to the following:
  • Your organization’s name and address.
  • Your organization’s sensitive data that is sent for specific processing needs (including protected health information (PHI) and personally identifiable information (PII).

 

PRIVACY POLICY:

 

Information Collection:

• IMS, Inc. is the sole owner of the information collected on its website: IMSDIRECT.COM. IMS, Inc. may collect information from our customers at various points throughout our website. We also collect information that our customers provide in accordance with the expectations and terms of our contract.

 

Information Use:

·       Any information collected on our website is only used to contact you about our products and services. Any other information and data sent to us by our clients are used solely to perform the services outlined in our contracts. We do not share any of your information with third parties.

 

SHARING:

 

Legal Disclaimer:

·       We may need to disclose personal information when required by law, wherein we have a good-faith belief that such action is necessary to comply with a current judicial proceeding, a court order, or a legal process served on our website. We also may be required to disclose an individual’s personal information in response to a lawful request by public authorities to meet national security or law enforcement requirements.

 

Third-Party Advisors:

·       IMS, Inc. DOES NOT share website usage information about users with third parties. If we were to engage in any onward transfers with third parties, we would provide you with an opt-out choice. IMS, Inc. DOES NOT share client-sensitive information with third parties unless it is included within our client contract terms or if the client is aware of and has given consent for IMS, Inc. to do so.

 

Children:

·       Our Products and Services are not intended for children under 13, and we do not knowingly collect information from children under 13. Children aged 13 or older should not submit any personal information without the permission of their parents or guardians. By purchasing Products and Services, you represent that you are at least 18 or 13 years old and have your parents’ or guardians’ permission to use the website and our related products and services. If we learn that we have collected personal information from a child under the age of 13, we will delete that information as soon as possible.

 

Protection of Organizational Records:

• Individually identifiable information is retained and safeguarded for a period of 50 years following the date of death of the individual.
• Compliance with notice requirements is documented by retaining copies of the organization’s notices for a period of six years and, if applicable, any written acknowledgments of receipt of the notice or documentation of reasonable faith efforts to obtain such written acknowledgment.
• Restrictions are documented in writing and formally maintained, or an electronic copy of such writing is maintained, as an organizational record for six years.
• Records (PII) that are subject to access by individuals are documented and maintained, including the titles of the persons or offices responsible for receiving and processing requests for access by individuals, as organizational records for a period of six years.
• Disclosure accountings are documented and maintained for six years, including the information required for disclosure, the written accounting provided to the individual, and the titles of the persons or offices responsible for receiving and processing requests for accounting.
• Formal policies and procedures, other critical records (e.g., results from a risk assessment), and disclosures of individuals’ protected health information are retained for a minimum of six years. For electronic health records, records of disclosures to carry out treatment, payment, and healthcare operations are retained for a minimum of three years.
• Important records, such as contracts, personnel records, financial information, and client/customer information, are protected from loss, destruction, and falsification. Security controls, such as access controls, encryption, backups, electronic signatures, and locked facilities or containers, are implemented to protect these essential records and information.
• Guidelines are issued on the ownership, classification, retention, storage, handling, and disposal of all records and information.
• Senior management reviews and approves the security categorizations and associated guidelines.

 

Data Protection and Privacy of Covered Information:

• A person responsible, such as a data protection officer or privacy officer, who reports directly to the highest level of management (e.g., a CEO), is appointed and is responsible for the organization’s individual privacy protection program. Such an appointment is based on professional qualities, particularly expert knowledge of data protection law and practices, as well as the ability to fulfill the required tasks.
• Where required by legislation, consent is obtained before any PII (e.g., about a client/customer) is emailed, faxed, or communicated by telephone conversation or otherwise disclosed to parties external to the organization.
• Covered information, at minimum, is rendered unusable, unreadable, or indecipherable anywhere it is stored, including on personal computers (laptops, desktops), portable digital media, backup media, servers, databases, or in logs; exceptions are authorized by management and documented. Encryption is implemented through one-way hashes, truncation, or strong cryptography and key management procedures. Acceptable encryption algorithms and key strengths are AES-CBC or Triple DES, with a minimum key length of 128 bits (256 bits for cloud services). For full-disk encryption, logical access is independent of operating system (OS) access, and decryption keys are not tied to user accounts. The information system protects the confidentiality and integrity of information at rest. If encryption is not applied because it is deemed not reasonable or appropriate, the organization documents its rationale for the decision or uses alternative compensating controls, such as encryption, if the method is approved and reviewed annually by the CISO.
• Security and privacy protections are explicitly identified and implemented to ensure protection for the transfer of organizational records, or extracts of such records, containing sensitive personal information to a state, federal agency, or other regulatory body that lawfully collects such information.
• Covered information storage is kept to a minimum.
• Locations are specified for the storage of covered information.

 

Security:

·      IMS, Inc. implements security controls to protect your data and only stores your data and the necessary resources to provide you with the best possible service, information, and resources.

·       We use reasonable and appropriate measures to protect your information. When customers submit sensitive information through the website, their data is protected both online and offline.

·       When our users/clients submit sensitive information (such as credit card information and social security numbers), that information is encrypted and protected with the best encryption software in the industry – SSL.

·       While we use SSL encryption to protect sensitive information online, we do everything we can to protect user information offline. Our customer information, including the sensitive information mentioned above, is restricted to authorized office users. Only employees who need access to personally identifiable information to perform a specific job duty (for example, our billing clerks, data processors, or customer service representatives) are granted access. Our employees must use password-protected screensavers when they leave their desks. When they return, they must re-enter their password to regain access to user information. Furthermore, ALL employees are kept up to date on our security and privacy practices.

·       Essential records, such as contracts, personnel, financial, and client/customer information, are protected from loss, destruction, and falsification. Security controls, such as access controls, encryption, backups, electronic signatures, locked facilities, or containers, are implemented to protect these essential records and information.

 

Addressing Security When Dealing with Customers:

• The public can access information about our privacy activities and communicate with the senior privacy official (e.g., the Chief Privacy Officer or the Chief Data Protection Officer).

 

Data Retention:

·      IMS, Inc. must balance our legal obligations and need to retain information for business purposes against the cost of storing and securing such information. Our standard data retention policy is 90 days unless otherwise agreed upon and stated in our Master Service Agreement. IMS, Inc. securely and adequately disposes of all data, including electronic and printed data.

 

Notification Of Changes:                                              

·       Changes to our privacy policy are posted to this privacy statement and other places we deem appropriate. So, our customers are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.

 

Legal Basis for Processing:

• At the core of all personal information processing activities undertaken by IMS, Inc. is the assurance and verification that we comply with applicable privacy laws and regulations and our lawfulness of processing obligations. Before carrying out any personal data processing activity, we identify and establish the legal basis for doing so and verify these against requirements to ensure we use the most appropriate legal basis. Data is only obtained, processed, or stored when we have met the lawfulness of processing requirements, where:
  • The data subject has consented to processing their personal data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the data subject’s request before entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which we are subject.
  • Processing is necessary to protect the vital interests of the data subject or another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the organization.
  • Processing is necessary for the legitimate interests pursued by the organization or third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require personal data protection, where the data subject is a child).
  • Processing Special Category Data.

 

Right Of Data Subjects:

• The Rights of Data subjects, per applicable data privacy laws and regulations, include:
  • Consent and the right to be informed.
  • Privacy notice.
  • Procedures to handle personal data not obtained from the data subject.
  • Right of access to the personal data of the data subject.
  • Data portability.
  • Data Rectification and Erasure.
  • Individual right to seek restriction on data processing.
  • Individual objections and automated decision-making.

 

 

 

REVISION CONTROL
Revision Date	Revision Level	Revised by	Approved by
05/12/2022	A	Deanna Hoff	Tara DeBois
09/24/2024	B	Deanna Hoff	Tara DeBois
09/30/2025	C	Deanna Hoff	Tara DeBois