MEDISYS HEALTH GROUP’S POLICY ON THE COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION
OBJECTIVE AND SCOPE OF POLICY
Medisys Health Group Inc. (“Medisys”) is a national provider of healthcare services to corporations, insurance companies, and individuals. Consistent with our obligations as healthcare professionals, we are dedicated to maintaining high standards of confidentiality with respect to all information that has been provided to us, with a particular focus on health information. This policy statement (the “Policy”), has been prepared to affirm our commitment to maintaining the privacy of our clients and others and to inform you of our practices concerning the collection, use and disclosure of Personal Information (as defined below) collected by Medisys. This Policy not only applies to Medisys but also to our subsidiary companies.
At Medisys, safeguarding your confidentiality and protecting your personal and health information is fundamental to the way we do business. This commitment has not changed with the arrival of services delivered via the Internet or other such online services. Instead, it has been extended to ensure your experiences with us online are as private, secure and as safe as your dealings with us have been in and through traditional business media.
Our obligations as healthcare professionals are governed, in part, by the national and provincial regulations that govern each of our healthcare professionals as members of their applicable regulatory bodies and associations (e.g. Canadian Medical Association, College of Family Physicians of Canada, College of Physicians and Surgeons of Ontario, Collège des médecins du Québec, etc.). The obligations set out in this Policy apply to all professionals, employees, contractors and agents who provide services in connection with our delivery of services to our clients. Other applicable laws and internal policies govern the protection of Personal Information of partners, associates and employees of Medisys.
For the purposes of this Policy, “Demographic Information” means any information other than personal Health Information (as defined below), recorded in any form, about an identified individual, or an individual whose identity may be inferred or determined from the information.
This policy does not cover any information, recorded in any form, about more than one individual where the identity of the individuals is not known and cannot be inferred from the information (“Aggregated Information”). Medisys retains the right to use Aggregated Information in any way that it determines appropriate and reasonable.
For the purposes of this Policy, “Health Information” with respect to an individual, recorded in any form, means (a) information concerning the physical or mental health of the individual; (b) information concerning any health service provided to the individual; (c) information concerning the donation by the individual of any bodily substance or information derived from the testing or examination of a body part or bodily substance of the individual; (d) information that is collected in the course of providing health services to the individual; or (e) information that is collected incidentally to the provision of health services to the individual.
Demographic Information and Health Information are referred to collectively in this document as “Personal Information’’.
PROTECTING YOUR PRIVACY – OUR COMMITMENT TO YOU
At Medisys, protecting your privacy means that (i) we keep your information and the business you do with us in strict confidence; (ii) your information is not sold; (iii) you have control over how we obtain, use, and give out information about you; (iv) you have access to the information we have about you; (v) you may ask us to correct the information we have about you; and (vi) we respect your privacy when we market our products and services.
We are committed to meeting or exceeding the privacy standards established by federal and provincial laws and industry standards. All of our information-handling practices comply with federal and applicable provincial laws including the Personal Information Protection and Electronic Documents Act (widely known either as “PIPEDA” or the “PIPED Act”), an initiative designed to further protect the privacy of Canadian consumers.
PIPEDA and all other applicable provincial laws have, as their core, the following 10 guiding privacy principles:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure and Retention
- Safeguarding Client Information
- Client Access
- Handling Client Complaints and Suggestions
We have designed this Policy to address all of these 10 guiding principles.
WHAT INFORMATION IS COLLECTED? WHY DOES MEDISYS COLLECT PERSONAL INFORMATION?
Having up-to-date and accurate information helps us provide you with the best possible service and recommendations and, in certain cases, to offer additional services we believe might be of benefit to you.
At Medisys, we generally collect two types of information from our clients and from web site visitors. With your consent, we collect Personal Information. We may also collect anonymous/non-personal information.
Personal Information is information that refers to you specifically, whether factual or subjective.
With your consent, we may gather personal information from you in person, over the telephone or by corresponding with you via mail or the Internet.
The types of Personal Information that we usually collect and maintain in your file may include, but are not limited to, your:
a) Demographic Information
Note: As outlined in the PIPED Act, personal information does not include the name, title, business address or telephone number of an employee of an organization.
b) Health Information
For every consultation, whether in person, over the telephone or by corresponding with you via mail or the Internet, physicians must collect, organize, hold and maintain a medical chart with information relevant to the medical problem or incident in question.
Medisys collects only such information from individuals or organizations as is required for the purposes of providing services or information to them, marketing other services or products to them (as applicable) and for aggregated statistical analyses. To the greatest extent possible, we will collect Personal Information directly from the individual concerned. In certain cases, we will be required to collect Personal Information from other sources, including but not limited to your employer, treating physician, consulting physicians, and insurers. In those cases, we will request your consent to obtain information from those sources.
In certain circumstances, Medisys may also collect personal information relating to a client from sources other than the client, if justified by a serious and legitimate reason, and the information is collected in the interest of the client concerned and cannot be collected from him or her in due time.
We collect Personal Information for different purposes, depending on the type of service we are providing to you, your employer, or your insurer, as applicable.
These purposes may include:
- Providing you with executive health services;
- Providing you with occupational health services (including pre-placement examinations, periodic medical examinations, independent medical evaluations);
- Providing you with travel health services (including vaccinations and medical consultations;
- Collecting information for the underwriting requirements of insurance companies to which you are applying for life or health insurance;
- Providing you with medical imaging services (including MRI, CT, x-ray, ultrasound);
- Providing you with digital health services, via an app-based platform or other digital means;
- Providing disability management services to you or your employer;
- Providing you with other services or products in the future;
- Internal quality control processes; and
- Aggregated statistical analyses.
When you visit our web sites, information is not collected that could identify you personally unless you choose to provide it voluntarily. You are welcome to browse these web sites at any time anonymously and privately without revealing any personal or health information about yourself.
To help us better understand our markets, we may also gather information for analytical purposes by conducting anonymous client surveys, by extracting demographic information from existing files and from Statistics Canada.
Ownership of Personal Information
It is important to note that, as a client, you own your Personal Information. This Policy outlines how you can request access or changes to, or obtain copies of your Personal Information. However, the format in which your Personal Information is kept, including but not limited to the medical records, charts, film, software, databases, applications, methodologies and processes for gathering, processing and storing such Personal Information, belongs to Medisys and/or our physicians (as it applies to certain Health Information), as applicable.
HOW DOES MEDISYS OBTAIN CONSENT TO USE AND DISCLOSE PERSONAL INFORMATION?
At Medisys, we are obliged to keep your Demographic Information and Health Information confidential except when authorized by you. We use Personal Information for the purposes described above.
In some cases, your consent to the use and/or disclosure of your Personal Information will be obtained verbally or in writing, through an informed consent form. In other cases, such as when you book an appointment over the Internet, your consent will be obtained electronically. In providing healthcare services, as outlined in the Canadian Medical Association’s discussion on privacy in medical practices, consent is implied for the collection, use and disclosure of Personal Information needed for care and treatment.
Your provision of Personal Information to Medisys means that you agree and consent that we may collect, use and disclose your Personal Information in accordance with this Policy. If you do not agree with these terms, you are requested not to provide any Personal Information to Medisys. Remember, the choice to provide us with Personal Information is always yours, and your consent for us to use your Personal Information can be withdrawn, in writing at any time. However, in providing healthcare services, your decision to withhold particular details may limit the services we are able to provide and make it more difficult for us to advise you, provide services to you, ensure the follow-up required by certain conditions, or suggest appropriate alternatives.
If we are unable to accommodate your request based on the information that has been provided, we may ask for additional details in order to identify other ways to be of assistance. In some instances, we may also maintain a file containing contact history that is used for client inquiry purposes.
In the course of daily operations, access to private, sensitive and confidential information is restricted to authorized employees who have a legitimate business purpose and reason for accessing it. For example, when you call us, visit our offices, or email us, our designated employees will access your information to assist you in providing services to you. It is important to note that only medical professionals (nurses, physicians, technicians, etc.) or others on a need-to-know basis will have access to your Health Information.
As a condition of their employment, all employees of Medisys are required to abide by the privacy standards we have established. They are also required to work within the principles of ethical behaviour as set out in our internal employee rules and must follow all applicable laws and regulations. Employees are well informed about the importance of privacy and they are required to sign either a code of conduct or a confidentiality agreement that prohibits the disclosure of any Personal Information to unauthorized individuals or parties.
Unauthorized access to and/or disclosure of client information by an employee of Medisys is strictly prohibited. All employees are expected to maintain the confidentiality of Personal Information at all times and failing to do so will result in appropriate disciplinary measures, which may include dismissal.
Outside Service Suppliers
At Medisys, in order to provide certain services, we sometimes contract outside organizations or healthcare professionals to perform specialized services such as independent medical evaluations, paramedical examinations, or data processing. Our trusted service suppliers may at times be responsible for processing and handling some of the information we receive from you. For example, in order to perform an independent medical evaluation, we are required to provide the independent physician with enough Personal Information for them to be able to perform their role. Another example would be referring you to a specialist physician for additional tests – we need to be able to provide them with enough Personal Information to be able to assist you.
In these cases, Medisys may disclose Personal Information to organizations that perform services on our behalf. Personal Information will only be provided to such organizations with your informed consent, if they agree to use such information solely for the purposes of providing services to Medisys and under the instruction of Medisys and, with respect to that information, to act in a manner consistent with applicable laws and the relevant principles articulated in this Policy.
WHEN WOULD WE USE YOUR PERSONAL INFORMATION WITHOUT YOUR CONSENT?
Please note that there are circumstances where the use and/or disclosure of Demographic
Information and/or Health Information may be justified or permitted or where Medisys is obliged to disclose information without your consent.
Such circumstances may include:
- Where required by law or by order or requirement of a court, administrative agency or other governmental tribunal (in this case, only the information specifically requested is disclosed and we take precautions to satisfy ourselves that the authorities that are making the request have legitimate grounds to do so);
- Where Medisys believes, upon reasonable grounds, that it is necessary to protect the rights, privacy, safety or property of an identifiable person or group, including for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual;
- Where it is necessary to establish or collect monies owning to Medisys (in this case, we would only disclose Demographic Information and not Health Information)
- For billing purposes for provincially-covered services (to OHIP, RAMQ, etc.)
- Where it is necessary to permit Medisys to pursue available remedies or limit any damages that Medisys may sustain; or
- Where such information is already in the public domain, to the extent permitted by applicable laws.
- Where obliged or permitted to disclose information without consent, Medisys will not disclose more information than is required, and when disclosed in the context of an emergency that threatens the life, health or security of an individual, we will inform the individual afterwards in writing regarding the disclosure.
Medisys does not sell, trade, barter or exchange for consideration any Personal Information it has obtained.
Personal Information may also be subject to transfer to another organization in the event of a merger or change of ownership of all or part of Medisys. This will occur only if the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes permitted by, and in strict conformity with, applicable laws.
ACCURACY OF YOUR PERSONAL INFORMATION
At Medisys, decisions, including healthcare recommendations, are often made based on the information we have. Therefore, it is important that your personal and health information is accurate and complete. We endeavour to ensure that any Personal Information provided and in our possession is as accurate, current and complete as necessary for the purposes for which Medisys uses that information.
As a client, you can request to check your information to verify, update and correct it (where appropriate).
Requests for access to your Personal Information should be made in writing (see the Contact Us section in this document for the information). After receiving the request, we will provide you with a reasonable cost estimate that reflects the cost of photocopying and staff time for generating the photocopied records. When the request is to see Health Information, in certain cases, the physician will review the record with those staff entrusted with this task.
If you only wish to view the original record, one of our staff must be present to maintain the integrity of the record. Again, a request to do so must be made in writing, and we will provide you with a reasonable cost estimate of the transcription, reproduction or transmission of such information.
In accordance with our obligations as healthcare providers, we will only refuse access to medical records in extremely limited circumstances; for example, when the information could reasonably be expected to seriously endanger the mental or physical health or safety of the individual making the request or that of another person, or if disclosure of the information would reveal personal health information about another person who has not consented to the disclosure. In this case, we will do our best to separate out this information and disclose the remaining information that is applicable.
If you have a sensory disability, we will give you access to your personal information in any alternative format you request if we already have it in that format or if its conversion into that format is reasonable and necessary in order for you to be able to exercise your rights under applicable laws. Again, a request to view your Personal Information in an alternative format must be made in writing, and we will provide you with a reasonable cost estimate that reflects the cost for such conversion.
CORRECTING YOUR PERSONAL INFORMATION
To help us keep your Personal Information up-to-date, we encourage you to amend inaccuracies and make corrections as often as necessary. Despite our best efforts, errors sometimes do occur.
Should you identify any incorrect or out-of-date information in your file(s), we will make the proper annotations and provide you with a copy of the corrected information in a prompt manner. Where appropriate and/or applicable, we will also communicate these changes promptly to other parties who may have unintentionally received incorrect information from us.
For corrections to your Health Information, you can request changes to be made to your record and this request will be documented by an annotation in the record. However, we will only make changes to reflect factual inaccuracies, rather than correcting medical opinions, diagnoses, laboratory evaluations or other medical evidence, which we as healthcare providers are required to keep.
All requests to access or to make corrections and changes to your Personal Information must be made to us in writing. We will deal expeditiously with your request to see your information, and always respond to you within 30 days. If we need to extend the time, or we have to refuse your request, we will provide a written explanation, subject to any legal restrictions, and we will notify you of the new deadline, the reasons for the extension, and your rights under applicable legislation respecting the extension.
RETENTION AND DISPOSAL OF PERSONAL INFORMATION
Medisys keeps Personal Information only as long as it is required for the reasons it was collected.
The length of time we retain information varies, depending on the product or service and the nature of the information. This period may extend beyond the end of a person’s relationship with us but it will be only for so long as it is necessary for us to have sufficient information to respond to any issues that may arise at a later date.
For Health Information, depending on the particular service offered, we retain client medical records at least as long as required by law and provincial health regulations. In certain cases, this is 3 to 7 years after the examination, or 7 years after the last entry in the medical record. Currently, the principal places in which Medisys holds Personal Information are in the cities in which Medisys has offices and nearby municipalities where off-site storage facilities may be located, or, in instances where Medisys uses third-party contractors to provide services to you (e.g. Physicians who perform independent medical evaluations, or nurses who perform paramedical examinations), at such premises for those third-party contractors.
When your Personal Information is no longer required for Medisys’ purposes, we have procedures to destroy, delete, erase or convert it into an anonymous form. We destroy our records in a way that protects client privacy in accordance with regulations made under appropriate provincial legislation. We use supervised shredding contractors who must adhere to contractual privacy obligations.
At Medisys, we use technology and maintain security standards to ensure that your Personal Information is protected against unauthorized access, disclosure, inappropriate alteration or misuse, loss or theft. All security measures are also appropriate to the sensitivity level of your information.
Medisys further protects Personal Information by restricting access to it to those employees that the management of Medisys has determined need to know that information in order that Medisys may provide its services.
Electronic client files are kept in a secured environment with restricted access. Paper-based files are stored in locked fire-resistant filing cabinets or filing rooms equipped with sprinkler systems. Access to these areas is also highly restricted.
We manage our server environment appropriately and our firewall infrastructure is strictly adhered to. Our security practices are reviewed on a regular basis and we routinely employ current technologies to ensure that the confidentiality and privacy of your information is not compromised.
Our computer-security specialists build security into all our computer systems. For information stored in electronic format, this protects your information at all times, when it is stored in data files or handled by our employees. Our systems also protect your information if and when it is transmitted, for example, between our offices.
Our web sites or web applications where Personal Information is collected or stored use Secure Socket Layer (SSL) and 128 bit encryption technologies to enhance security when you visit the secured areas of these sites. SSL is the industry standard tool for protecting and maintaining the security of message transmissions over the Internet. When we access or send information from secured sites, encryption will scramble your data into an unreadable format to inhibit unauthorized access by others.
To safeguard against unauthorized access to your accounts, you are required to “sign-on” using an encrypted password to certain secured areas of our web sites (where applicable). If you are unable to provide the correct password, you will not be able to access these sections. Your password information is encrypted which is presently the most effective way to secure electronic data.
Communicating Personal Information to Medisys
In terms of communicating Personal Information to Medisys, you may wish to note that there is no method (other than in face-to-face consultation with our physicians or nurses) of transmitting or storing data that is absolutely secure. While the physical characteristics of each are different, mail, telephone calls, faxes and transmissions over the Internet are all susceptible to possible loss, misrouting, interception and misuse of the information being communicated or transmitted.
As do many organizations, Medisys attempts to strike a reasonable balance between security and convenience. In communicating with clients and others, Medisys often requests the right to use a method of communication that is less secure than some of its less convenient alternatives. An example of this is email. At this time, when we use email, it may be sent as unencrypted plain text. We do this because Medisys believes that many of our clients and others cannot readily process encrypted email. This is done for their convenience but has the security concern that, if misrouted or intercepted, it could be read more easily than encrypted email.
MEDISYS WEB SITES
Medisys provides clients and others with general access to public web sites and, in certain cases, restricted access to extranets. Our web servers track general information about visitors such as their domain name and time of visit. Medisys’ web servers also collect and aggregate information regarding which pages are being accessed as well as information volunteered by visitors through online surveys or subscriptions to electronic newsletters. This information is used internally, only in aggregate form, to better serve visitors by helping us to:
- Manage our sites
- Diagnose any technical problems
- Improve the content of our web site
AMENDMENT OF MEDISYS’ PRACTICES AND THIS POLICY
This updated and revised Policy is in effect as of April 2019 (and has been in effect, in earlier forms, since January 1, 2004). Medisys will from time to time review and revise its privacy practices and this Policy. Policy changes will apply to the information collected from the date of posting of the revised Policy to Medisys’ web site as well as to existing information held by Medisys.
CONTACTING US – QUESTIONS/SUGGESTIONS ABOUT THIS POLICY
In the event an individual has questions about (a) access to Personal Information; (b) the collection, use, management or disclosure of your Personal Information; or (c) this Policy, that person should contact the Chief Privacy Officer in writing. At Medisys, we are committed to maintaining and protecting the Personal Information under our control. In fulfilling this mandate, we have designated an individual (and in certain cases, individuals) who are accountable for our compliance with this Policy.
If you have any concerns, inquiries or suggestions regarding this Policy, please submit them in writing (either by fax, mail or email) to:
We will deal as expeditiously as possible with your request to see your information, and always respond to you within 30 days. If we need to extend that time, or we have to refuse your request, we will provide a written explanation, subject to any legal restrictions, and we will notify you of the new deadline, the reasons for the extension or refusal, as the case may be, and your rights under applicable legislation respecting in that respect.
Individuals who feel that their privacy rights have been infringed upon can complain to the Privacy Commissioner of Canada. The Commissioner’s role is that of an ombudsman, trying to find solutions to privacy problems, and resolving complaints through negotiation and persuasion, and using mediation and conciliation if appropriate.
Please visit the Office of the Privacy Commissioner of Canada’s website at https://www.priv.gc.ca for details.
To contact the provincial privacy commissioners, please visit the following websites:
Medisys virtual care privacy statement
Effective October, 2019
WELCOME TO Medisys on-Demand!
This Privacy Statement (the “Privacy Statement”) governs how Medisys Health Group Inc. (“Medisys,” “us”, “we”, or “our”) and its third party virtual care provider, Right Health Inc. (“Platform Partner”) collects, uses, discloses and otherwise manages your Personal Information and your Personal Health Information (collectively, “Information”) when you use our Medisys On-Demand online platform including through the Medisys On-Demand mobile application (the “App”) (collectively, the “Platform”). For the purposes of this Privacy Statement, “Personal Information” includes your name, phone number, email address, gender, birth date and payment information (including your credit card number and its expiration date), but excludes Personal Health Information; “Personal Health Information” means information that is collected or created by our healthcare team in the course of providing healthcare services to you, including information concerning your physical or mental health history, health status, symptoms, diagnosis, laboratory testing results and diagnostic images, your health insurance plan number, information concerning any healthcare service and advice provided to you by us, including referrals, recommended follow up or next steps, and other health-related information.
COLLECTION AND USE OF INFORMATION
The Platform provides individuals with access to healthcare professionals, which may include nurse practitioners, nurses, mental health therapists, dietitians, naturopaths and physicians (“Health Care Practitioners”) and personal health assistants (“PHAs”) by secure text, video and audio chat for virtual care consultations (“Health Services”), and related healthcare and administrative support services (“Administrative Services”) (together referred to as “Services”). We collect and use your Information for the purposes of: (A) providing the Services, (B) complying with applicable law, (C) reasonable audit and data retention policies, and (D) to the extent that the data is anonymous and non-identifiable, for research and analytical purposes and to operate and expand our business opportunities.
Registration on the Platform: In order to use the Platform to receive Services, you will need to register to create a secure User Account and provide your name, contact information and a password that you select (“User Account”). You will also need to disclose information about your current health condition and health history to Health Care Practitioners and PHAs in order to enable them to provide you with appropriate Services and to complete and update online profiles and personal health histories maintained in your User Account. Individuals under the age of majority in their jurisdiction may access Services at the discretion of Health Care Practitioners and PHAs, and in collaboration with a parent or legal guardian of the individual, as appropriate.
Purchase a Paid Service: If you choose to purchase Services from us, we may collect your payment information such as your name, address, phone number, email address, billing address, and payment method. This information is used to process your payments and, if you purchase a recurring Service, to renew your subscription. We use a third party service provider who is PCI DSS compliant to facilitate secure payment processing and your Personal Information (but not your Personal Health Information) may be stored, accessed and/or viewed outside of Canada.
DISCLOSURE OF YOUR INFORMATION
We will not rent, exchange or sell your Information.
We may transfer or disclose your Information as follows:
Circle of Care: If you receive Services through the Platform, we may disclose your Information to and among Health Care Practitioners and PHAs for the purpose of providing or assisting in the provision of Services to you. We may disclose your Information to third parties such as other health professionals, specialists, pharmacists, pharmacies and laboratories for the purpose of providing or assisting in the provision of Services to you – this includes, but is not limited to, providing medically appropriate referrals, prescriptions, or lab and imaging requisitions to you. Your Personal Health Information can only be shared with third parties outside of your circle of care with your express consent.
Employers/Benefits Providers: If your access to the Platform was facilitated through your employer or benefits provider, we may provide general information about the status of your account to them. For example, we may disclose to your employer or benefits provider whether you activated your account, what email address you provided and when you last accessed your account. We will not disclose any Personal Health Information to your employer or benefits provider. Non-identifiable information may be shared with your employer at an aggregated level.
Service Provider Arrangements: In connection with the Platform and/or Services provided by Medisys, your Information may transit through third parties, including but not limited to the Platform Partner, who provide services on our behalf. For example, we may use service providers to provide specialized health related support and care, process payments, host our website and store information on our behalf. Our service providers are given only the Information they need to perform their designated functions.
Sale of Business: We may transfer Information as an asset in connection with a proposed or completed merger or sale (including transfers made as part of insolvency or bankruptcy proceeding) involving all or part of Medisys, or its Platform Partner, or as part of a corporate reorganization or other change in corporate control.
Legal: Medisys and its service providers may disclose Information to third parties where required or permitted by applicable law (which may include access by courts, law enforcement and national security authorities in Canada).
INFORMATION ABOUT THE PLATFORM
As you use the Platform, certain Personal Information may be passively collected by Cookies (defined below), navigational data like Uniform Resource Locators (URLs) and third party tracking services, including:
- App Activity Information:We may keep track of some of the actions you take on the Platform, such as the content of searches you perform on the App. We use this information in order to improve the products and services and to protect your data from unauthorized access.
- Access Device and Browser Information:When you access the App from a computer or other device, we may collect information from that device, such as your Internet protocol address (IP address), browser type, connection speed and access times (collectively, “Usage Information”). We use Usage Information in order to improve the products and services and to protect your data from unauthorized access.
- Device and Usage Information:We may also collect device-related information from your mobile device or computer. This information is used to help us authenticate you, deliver content appropriate for your device’s capabilities, and to deliver push notifications to notify about activity on your account, such as messages from our Health Care Practitioners. Examples of information that may be collected and used include your device’s unique identifier, manufacturer, model, and operating system version. In addition, in the event our application(s) crash(es) on your mobile device we may receive information about your mobile device model software version and device carrier, which allows us to identify and fix bugs and otherwise improve the performance of our application(s).
- Real-Time Location:Certain features of the App request your permission to use GPS technology to collect real-time information about the location of your device so that the App can connect you to a Health Care Practitioner who is licensed or authorized to provide services in the area where you are located.
- Real-Time Video and Audio Conversations:You may be required to connect with Health Care Practitioners and PHAs through a real-time video and audio call to receive certain Health Services and to verify your identity. All video and audio calls conducted through the Platform are confidential and end-to-end encrypted and accessible only to you and the Health Care Practitioners and PHAs responsible for your care. These calls are never recorded or stored and cannot be accessed at a later date.
- Text-based Chat:Many of the Services are accessed primarily through text-based chat. The contents of your chat conversations are stored as part of your health record and are protected in the same way as all other Personal Health Information in our custody.
SECURITY OF INFORMATION
We understands that data security is a critical issue for users and we are committed to safeguarding the Information in our custody and control.
We have implemented a comprehensive information security program that includes written policies and procedures, and security controls, as well as, reasonable administrative, technical and physical safeguards in an effort to protect against unauthorized access, use, loss, modification and disclosure, of Information in our custody and control. Medisys also ensures that the security policies, procedures, and controls of its Platform Partner are tested and audited by a third party on an ongoing basis, using industry-standard practices such as SOC 2 reporting and penetration testing.
Our privacy practices are intended to comply with applicable privacy laws and we will maintain the privacy and security of your Information as required by applicable privacy laws. Your Personal Health Information will be stored on servers physically located in Canada (but may be temporarily viewed, accessed, used or transferred outside of Canada as necessary for installing, implementing, maintaining, repairing, trouble shooting or upgrading the Platform). Personal Information (but not Personal Health Information) may be stored outside of Canada.
It is your responsibility to play an active role in the protection and safeguarding of your Information. We encourage you to take the following steps when creating your User Account, accessing the Platform and/or using the Services:
- Create a strong and unique password that you do not share with anyone;
- Have a strong password on your computer and device that is used to access the Platform and Services;
- Fully sign-out of your User Account and close the App when you have finished using it; and
- Ensure that you are receiving Health Services from a private and undisturbed location.
ACCESS TO INFORMATION
Medisys takes reasonable steps to ensure your Information is accurate, complete, and up to date. If you become aware that any Information in our possession about you is not correct, please contact customer support. Contact information may be found under the heading “Contact Us”.
You are entitled to a copy of the Information that we have in our possession or under our control; if you would like a copy of such Information, please contact us. We will take reasonable steps to verify your identity before granting access or making corrections. In addition, your right to access or correct your Information is subject to certain legal restrictions.
We may use non-identifiable information created by us from your Information in order to (i) better understand and improve the Platform and our service offerings; (ii) for research and analytical purposes; and/or (iii) to operate and expand our business opportunities.
This Privacy Statement does not cover any information (including when created by us from you Information), recorded in any form, about more than one individual where the identity of the individuals is not known and cannot be inferred from the information (“Aggregated Information”). Medisys retains the right to use Aggregated Information in any way that it determines appropriate and reasonable.
RETAINING YOUR INFORMATION
We will retain any and all Information that we are required to retain under any applicable laws and regulations for the full duration of time required under those laws and regulations. We may also retain non-identifiable information, and continue to use this information in accordance with this Policy.
You may request that we delete the Information that we maintain about you, but please note that we may be required to maintain certain Information in order to meet our legal obligations (in which case we will comply with your deletion request only after we have fulfilled such obligations). When we delete Information, it will be deleted from the active database, but may remain in our archives and we may also retain Usage Information. After we delete Information, we may retain non-identifiable information, and will continue to use such information as permitted under this Privacy Statement.
You should report any privacy or security violations, including any suspected or actual unauthorized access, use or loss, of Information, to us by sending an email to firstname.lastname@example.org.
CHANGES TO THIS PRIVACY STATEMENT
This Privacy Statement may be updated periodically to reflect changes to our practices. Any notices regarding modifications to this Privacy Statement, will be in a written form and given: (i) by Medisys via email (in each case to the address that you provide); or (ii) via the Platform.
Please contact us at the address set out below if:
- you have any questions or comments about this Privacy Statement;
- you wish to access, update, and/or correct inaccuracies in your Information; or
- you otherwise have a question or complaint about the manner in which we or our service providers treat your Information.
Medisys Health Group
c/o Privacy Officer
600 De Maisonneuve Blvd.
This Privacy Statement was last updated October 2019.