pH7 Compliance: Legal and Regulatory Information (UK)

1. General Medical Compliance

United Kingdom - General Medical Council (GMC):

• Doctor Standards:

  All doctors using the pH7 platform are independent practitioners registered with the GMC and listed on the Specialist Register. Only CQC-registered clinics and healthcare providers are allowed to use our platform. We ensure that each doctor’s specialty is clearly communicated to patients before consultations.

• Verification and Clinical Guidelines:

  Each doctor is independently audited and prior to consultations, patients undergo a comprehensive onboarding and identity verification process. The medical history and patient identity information are securely shared with the doctor and retained by both the patient and doctor.

General Pharmaceutical Council (GPhC):

• Pharmacy Compliance:

  All pharmacies on the pH7 platform are verified and registered with the GPhC, adhering strictly to safe and legal dispensing practices, including prescription verification and accurate record-keeping.

2. Data Protection and Privacy

General Data Protection Regulation (GDPR):

• Lawful Basis for Processing:

  We operate under patient consent and contract necessity, as outlined in our T&Cs. All Patient data is encrypted and anonymized where possible, with explicit patient consent required for data usage beyond the essential service operations.

• Data Subject Rights and Security:

  Patients can access, correct, and delete their data through their profile settings. We employ industry-leading encryption methods to secure data, and our protocols undergo quarterly reviews. pH7 and its employees do not have access to patient medical records, maintaining the confidentiality of patient information.

• Data Minimisation and Retention:

  We collect only essential data for facilitating consultation bookings and prescription purchases, such as, address, patient name, telephone number, and email, with clear retention policies in place. Sensitive health data processing risks are assessed through DPIAs.

3. Telemedicine and Remote Prescribing Regulations

Remote Consultation Standards:

• Verification and Documentation:

  We ensure that patients provide a comprehensive summary of care, especially in the U.K., where it is required for medical cannabis prescriptions. Our system facilitates patient-doctor interaction without influencing the doctor’s clinical decisions. All relevant medical data is securely stored and accessible only to the patient and the doctor.

Prescription Guidelines:

• Controlled Substances:

  We comply with the Misuse of Drugs Regulations 2001. Prescriptions for medical cannabis are physical and directly handled between the doctor and the pharmacy, ensuring secure and lawful dispensing.

4. Financial and Payment Processing

Financial Conduct Authority (FCA):

• Payment Processing Compliance:

  We adhere to FCA regulations in handling payments, ensuring all transactions are verified and secure. We also implement Anti-Money Laundering (AML) measures and conduct Know Your Customer (KYC) checks for all parties involved in financial transactions.

5. Cybersecurity Standards

Technical and Organisational Measures:

• Data Encryption and Access Controls:

  All data is encrypted at rest and in transit, with role-based access controls ensuring that only authorised personnel can access sensitive information. Detailed audit trails are maintained to monitor access and detect unauthorised activities.

Compliance Standards:

• Cyber Essentials and ISO/IEC 27001:

  We follow Cyber Essentials guidelines and are considering ISO/IEC 27001 certification to enhance our information security management.

Encryption and Profile Data Security:

• End-to-End Encryption:

  Patient-doctor communications are end-to-end encrypted, ensuring that neither pH7 staff nor developers can access the content. All patient medical data is encrypted and inaccessible to pH7 staff. It is only readable by doctors using the pH7 platform.