Healthcare Information Privacy & Security
Last Updated: March 1, 2024
Important: This document outlines our compliance with healthcare privacy regulations including PIPEDA (Canada), PHIPA (Ontario), and HIPAA (for cross-border clients).
Our Compliance Framework
PIPEDA Compliant
Personal Information Protection and Electronic Documents Act
PHIPA Compliant
Personal Health Information Protection Act (Ontario)
HIPAA Compliant
Health Insurance Portability and Accountability Act
1. Healthcare Privacy Compliance
1.1 PIPEDA Compliance (Canada)
As a Canadian healthcare provider, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), which sets the standard for how private sector organizations collect, use, and disclose personal information in the course of commercial business.
Key PIPEDA Principles We Follow:
- Accountability: We have designated a Privacy Officer responsible for compliance
- Identifying Purposes: We clearly state why we collect personal health information
- Consent: We obtain meaningful consent for collection, use, and disclosure
- Limiting Collection: We only collect information necessary for identified purposes
- Limiting Use, Disclosure, and Retention: Information is only used for stated purposes
- Accuracy: We keep personal health information accurate and up-to-date
- Safeguards: We protect information with appropriate security measures
- Openness: We make our policies and practices readily available
- Individual Access: Individuals can access their information and challenge its accuracy
- Challenging Compliance: Individuals can challenge our compliance with these principles
1.2 PHIPA Compliance (Ontario)
For clients in Ontario, we additionally comply with the Personal Health Information Protection Act (PHIPA), which specifically governs the collection, use, and disclosure of personal health information within the health sector.
1.3 HIPAA Compliance (Cross-Border)
For clients who receive services that involve US-based healthcare providers or insurance companies, we comply with the Health Insurance Portability and Accountability Act (HIPAA) standards for protected health information (PHI).
2. Protected Health Information (PHI)
2.1 Definition of PHI: Protected Health Information includes any information that relates to:
- An individual's past, present, or future physical or mental health condition
- The provision of healthcare to an individual
- Payment for healthcare provided to an individual
- Information that identifies the individual or could reasonably be used to identify the individual
2.2 Examples of PHI We Handle:
- Medical records and treatment plans
- Medication lists and prescriptions
- Laboratory test results
- Insurance information and billing records
- Healthcare provider notes and assessments
- Caregiver visit notes and reports
3. Security Safeguards
3.1 Administrative Safeguards
- Privacy and security training for all staff
- Designated Privacy and Security Officers
- Risk analysis and management procedures
- Information access management policies
- Security incident response procedures
- Contingency planning for data backup and disaster recovery
3.2 Physical Safeguards
- Secure facility access controls
- Workstation security policies
- Device and media controls
- Secure disposal of physical records
3.3 Technical Safeguards
- End-to-end encryption for all electronic PHI
- Secure user authentication and access controls
- Automatic logoff for inactive sessions
- Audit controls and activity logging
- Transmission security for data in motion
4. Your Rights Regarding PHI
4.1 Right to Access: You have the right to inspect and obtain a copy of your protected health information.
4.2 Right to Amend: You may request amendments to your PHI if you believe it is incorrect or incomplete.
4.3 Right to Accounting of Disclosures: You have the right to receive an accounting of certain disclosures of your PHI.
4.4 Right to Request Restrictions: You may request restrictions on certain uses and disclosures of your PHI.
4.5 Right to Request Confidential Communications: You may request that we communicate with you about health matters in a certain way or at a certain location.
4.6 Right to a Copy of this Notice: You have the right to a paper copy of this notice.
5. Breach Notification
In the event of a breach of unsecured protected health information, we will notify affected individuals as required by applicable laws:
Breach Notification Timeline:
- Without unreasonable delay: We will notify affected individuals following discovery of a breach
- Within 60 days: Maximum time for notification as required by HIPAA
- Immediate notification: For breaches involving significant risk of harm
Notifications will include:
- A description of what happened
- The types of information involved
- Steps individuals should take to protect themselves
- What we are doing to investigate and mitigate the breach
- Contact information for questions
6. Business Associate Agreements
When we work with third-party service providers who may have access to protected health information, we enter into Business Associate Agreements (BAAs) that require them to:
- Implement appropriate safeguards to protect PHI
- Report any breaches of unsecured PHI
- Ensure subcontractors agree to the same restrictions
- Comply with applicable privacy regulations
Our Business Associates include:
- Electronic health record providers
- Billing and claims processing services
- IT and cloud service providers
- Quality assurance and audit services
7. Contact Information
Mailing Address
Sovereign Ease Healthcare Inc.
Attention: Privacy Office
123 Healthcare Ave, Toronto, ON M5V 2T6
Complaints: If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer or with the appropriate regulatory authority. We will not retaliate against you for filing a complaint.
Note: This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This notice is effective as of March 1, 2024, and will remain in effect until we replace it.