Constant Health is considered an organization (“Organization”) under Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) in respect of the User personal information collected and handled by Constant Health.
Each Dietitian registered in Ontario who provides health care to Users registered through CH with an Ontario address, is a health information custodian (“Health Information Custodians”) under Ontario’s health privacy legislation, the Personal Health Information Protection Act, 2004 (“PHIPA”). Dietitians registered to practice dietetics in a Canadian province or territory other than Ontario may be governed by that particular province or territory’s health privacy legislation, or if none, by the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).
In this Policy, “we” and “our”refers to CH and to the Dietitians and Coaches employed or engaged by CH, in respect of privacy-related matters. CH has a variety of roles, including acting as privacy officer for each of the Dietitians and Coaches, and for running the overall privacy program on their behalf. CH is responsible for privacy training for its employees and agents, including its Dietitians and Coaches in relation to their work through CH.
Accountability for Personal Information and Personal Health Information
If you have questions about this policy, please contact the Constant Health privacy officer:
Constant Health Inc.
575 West Hunt Club, Unit 100
Ottawa, ON Canada
Privacy Officer contact email: firstname.lastname@example.org or 1-833-596-1460
Purposes for Collecting Personal Information and Personal Health Information
CH and its Dietitians and Coaches collect personal information and personal health information for purposes related tot he Services including the provision to You of dietetic care, weight management and related issues which may include but are not necessarily limited to one or more of comorbid disease management, diabetes and pre-diabetes targeted behavioural therapy disease monitoring,messaging and related administrative and quality purposes. In particular,personal information and personal health information may be collected for the following purposes and using the following services:
1. Providing you with the Services, which may include health care comprised of dietetic care(if you choose to use a Dietitian);
2. If applicable, communicating with and disclosing Your personal information and personal health information to your referring regulated health provider, if any, and for collecting, using and disclosing your personal information and personal health information from your referring regulated health provider, if any, about your condition and progress throughout the CH program.
3. For quality purposes, which may include but are not limited to one or more of evaluating, measuring and analyzing whether CH is meeting its standards in providing the Services.
4. To determine eligibility for insurance coverage and payment, if you provide such information to CH.
5. To handle payments.
6. For marketing purposes.
7. To train dietitians, coaches, staff and contractors of CH.
8. To improve the quality of the Services provided by CH.
9. To keep in touch with you.
10. For administrative purposes related to any of the above purposes.
The App collects, uses and discloses your personal information for the following additional purposes, using the following systems:
Consent for the Collection, Use and Disclosure of Personal Information and Personal Health Information
Under PHIPA and PIPEDA, Health Information Custodians and Organizations,respectively, require consent in order to collect, use, or disclose personal health information (“PHI”) and personal information, as PHI and personal information are defined in each Act, respectively. By using one or more of the Website, Content, User Account and App You consent to Constant Health collecting, using and disclosing your personal information for the purposes listed above. By using one ore more of the Website, Content, User Account and App You further consent to the Dietitian collecting, using and disclosing to CH the PHI that you provide to the Dietitian(s)through Your use of one or more of the App, Website, User Account and Content and to CH discussing your PHI with the Dietitians as may be necessary to provide the Services. You also consent to CH and your referring health care provider, if any, sharing and discussing your personal information and PHI for the purpose of CH providing you with the Services. There are some cases where CH may collect, use or disclose this information without Your consent, but such cases are limited to those permitted or required by law.
If You, as a User, wish Your lawyer, insurance company, family member, employer, landlord or other third-party individuals or agencies (non-health care providers) to have access to Your record held by Constant Health, You must give Constant Health written consent to this effect by contacting the Constant Health Privacy Officer.
Implied consent (Disclosures to other health care providers for healthcare purposes) – Circle of Care
User information may also be released by a Dietitian to a User’s other health care providers for health care purposes (within the “circle of care”) without the express written or verbal consent of the User as long as it is reasonable in the circumstances to believe that the User wants the information shared with the other health care providers. No User information will be released to other health care providers if a User has stated that the User does not want the information shared (for instance, by way of the placement of a “lockbox” on the User’s health records). Please note that if you lock sharing of your personal health information, the lock operates on a go-forward basis only and does not operate retrospectively; any personal health information shared prior to imposition of the lockbox is not locked.
A User’s request for treatment by a Dietitian constitutes implied consent for the Dietitian to use and disclose the User’s personal health information for health care purposes,unless the User expressly instructs otherwise. By using one or more of the App,User Account, Content and Website, and accepting treatment by a Dietitian, You consent to the Dietitian disclosing your PHI to CH for the purposes of providing the Services, for communicating with CH about your condition and progress through the CH program and for the purposes identified herein. Further, if you are referred to CH by a regulated health care provider (for example, your family physician or nurse practitioner) you consent to CH disclosing your personal health information collected and used by CH (and its Dietitians and Coaches) back to your referring provider.
There are certain activities for which consent is not required to use or disclose personal information or personal health information. These activities are permitted or required by law. For example, CH, Dietitians and Coaches do not need consent from Users to (this is not an exhaustive list):
•Plan, administer and manage our internal operations, the App, the Website, programs and Services
•Engage in quality improvement,error management, and risk management activities
•Participate in the analysis, administration and management of the health care system
•Engage in research (subject to certain rules)
•Train our employees, agents and others
•Compile statistics for internal or mandatory external reporting
•Respond to legal proceedings
•Comply with mandatory reporting obligations
If Users have questions about using and disclosing personal information and personal health information without consent, please contact the Privacy Officer identified herein.
Withholding or Withdrawal of Consent
If consent is sought, a User may choose not to give consent (“withholding consent”). If consent is given, a User may withdraw consent at any time,but the withdrawal must be recorded and communicated to CH, a Dietitian or Coach and is not retroactive. This means that information already communicated to CH will have been collected with consent but going forward, no further collection will occur. The withdrawal may also be subject to legal or contractual restrictions and reasonable notice. If You withdraw or withhold Your consent you cannot continue Your Use of the App, Content, User Account and Website.
Limiting Collection of Personal Information and Personal Health Information
The amount and type of personal information and personal health information collected by the Dietitians and Coaches through CH, or by CH directly from the User is limited to that which is necessary to fulfill the purposes identified. Information is collected directly from the User, unless PHIPA, PIPEDA, or another law permits or requires collection from third parties. Personal information and personal health information are only collected as needed to fulfill the Services.
Limiting Use, Disclosure and Retention of Personal Information and Personal Health Information
Personal information and personal health information are not used for purposes other than those for which such information was collected, except with the consent of the User or as permitted or required by law. CH, the Dietitians and Coaches use the information within the limits of their individual roles. They do not read, look at,receive or otherwise use personal information or personal health information unless they have a legitimate “need to know” as part of their role. If the agent is uncertain, the Privacy Officer will assist.
Personal information and personal health information are not disclosed for purposes other than those for which such information was collected, except with the consent of the User or as permitted or required by law. Personal information and personal health information may only be disclosed within the limits of each individual’s role. The limitation described above relating to each agent’s role applies.
Personal information and personal health information are retained as required by law and professional regulations and to fulfill the purposes for which the information is collected. Information that is no longer required to fulfill the identified purposes is securely destroyed, erased, or made anonymous.
Accuracy of Personal Information and Personal Health Information
We will take reasonable steps to ensure that information we hold is as accurate, complete,and up to date as is necessary to minimize the possibility that inappropriate or inaccurate information may be used to make a decision about a User.
Safeguards for Personal Information and Personal Health Information
We have put in place safeguards for the personal information and personal health information we hold, which include:
•Physical safeguards (such as locked doors and cabinets and restricted access to servers)
•Organizational safeguards (such as permitting access to information by staff on a "need-to-know" basis only, confidentiality agreements and privacy training); and
•Technological safeguards (such as the use of passwords, encryption,and audits)
We take steps to ensure that the personal information and personal health information we hold are protected against theft, loss and unauthorized use or disclosure. We require anyone who collects, uses or discloses personal information and personal health information on our behalf to be aware of the importance of maintaining the confidentiality of the information. This is done through the signing of confidentiality agreements, privacy training,and contractual means. Care is used in the secure disposal or destruction of personal information and personal health information, to prevent unauthorized parties from gaining access to the information.
Openness about Personal Information and Personal Health Information
Information about our policies and practices relating to our management of personal information and personal health information are available to the public,including:
•Contact information for our Privacy Officer, to whom complaints or inquiries can be made;
•The process for obtaining access to personal information and personal health information we hold, and making requests for its correction;
• A description of the type of personal information and personal health information we hold, including a general account of our uses and disclosures; and
•A description of how a User may make a complaint about the CH privacy practices, to CH, or to the Information and Privacy Commissioner of Ontario or the Privacy Commissioner of Canada.
User Access to Personal Information and Personal Health Information
Users may make written requests to have access to their records of personal information and personal health information. CH will respond to a User’s request for access within reasonable timelines and costs to the User, as governed by law. We will take reasonable steps to ensure that the requested information is made available in a format that is understandable. Users who successfully demonstrate the inaccuracy or incompleteness of their information may request that we amend their information. In some cases, instead of making a correction,Users may ask to append a statement of disagreement to their file.
Please Note: In certain situations, we may not be able to provide access to all of the personal information and personal health information we hold about a User, such as where the access could reasonably be expected to result in a risk of serious harm or the information is subject to legal privilege, or in other situations as permitted by law and described below (See Denying User Access to Records).
User Access to Information
With limited exceptions, we are required bylaw to respond within 30 days to Users who make written requests to access their records of personal information and personal health information (subject to a time extension of up to an additional 30 days if necessary and with notice to the person making the request).
a. Requests to Access
i. User requests for their own information should be made in writing.
ii. If a request for access is made directly to the Dietitian or Coach, the Dietitian or Coach should direct the User to CH’s usual process for release of records. CH may assist the User with locating the desired information or document in the record. Because records may be difficult to read and interpret and may mislead or alarm a User, Users will be encouraged to review the records with CH(or a delegate) so the information can be explained. Users seeking access may be asked to provide identification in order to verify their identity prior to reviewing records.
iii. If a User wishes to read the original record, someone must be present to ensure the records are not altered or removed. Users may not make notes on the original record or remove originals from the record or otherwise alter their records. If a User requests a copy of a record, copies may be given and fees may be applied.
iv. The original of the written request for access will be placed with the User’s records and must contain the following:
•A description of what information is requested
•Information sufficient to show that the person making the request for access is the User or other authorized person
•The signature of the User or other authorized person and a witness to the signature
•The date the written request was signed
v. A notation shall be made in the record(e.g., a handwritten note) stating:
•What information or records were disclosed
•When the information or records were disclosed
•By whom the information or records were disclosed
•If an individual requests access to the User’s information on behalf of the User a signed consent from the User will be necessary and the consent must have been signed by the User within 90 days prior to the request.
b. Denying User Access to Records
In certain situations, we may refuse a User’s request for access to all or part of a record. Exceptions to the right of access requirement must be in accordance with law and professional standards. Reasons to deny access to a record (or part of a record) may include:
•The information is subject to a legal privilege that restricts disclosure to the individual
•The information was collected or created primarily in anticipation of or for use in a proceeding (and that proceeding and any appeals have not been concluded)
•The information was collected or created in the course of an inspection, investigation or similar procedure authorized by law or undertaken for the purpose of the detection, monitoring or prevention of a person’s receiving or attempting to receive a benefit to which the person is not entitled under law (and the inspection or investigation have not been concluded)
•If granting access could reasonably be expected to:
o Result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person
o Lead to the identification of a person who was required by law to provide information in the record
o Lead to the identification of a person who provided information explicitly or implicitly in confidence (if it is appropriate to keep that source confidential)
Users must be told if they are being denied access to their own health records. In such cases, Users have a right to complain to the Privacy Commissioner of Canada,and must be told of this right and how to reach the respective Commissioner’s office.
Correction of Records
We have an obligation to correct personal information and personal health information if it is inaccurate or incomplete for the purposes it is to be used or disclosed. Users may request that the information be corrected if it is inaccurate or incomplete. Such requests must be made in writing and must explain what information is to be corrected and why.
We must respond to requests for correction within 30 days (or seek an extension of up an additional 30 days but only if we have let the User know, in writing). Corrections are made in the following ways:
•Striking out the incorrect information in a manner that does not obliterate the record, or
•If striking out is not possible:
o Labelling the information as incorrect, severing it from the record, and storing it separately with a link to the record that enables CH or the Dietitian or Coach to trace the incorrect information, or
o Ensuring there is a practical system to inform anyone who sees the record or receives a copy that the information is incorrect and directing that person to the correct information.
The record will not be corrected if:
•The record was not originally created by the Dietitian or Coach and the Dietitian or Coach does not have the knowledge, expertise or authority to correct the record, or
•The record consists of a professional opinion which was made in good faith.
The Dietitian has discretion regarding correction to his or her health care records regarding the User and correction requests may not always be granted. If we choose not to correct a record, the User must be informed in writing. The User will have the choice to submit a statement of disagreement,which will be scanned onto the record and released any time the information that was asked to be corrected is released. In these cases, Users have a right to complain to the Information and Privacy Commissioner of Ontario or Canada, as applicable, and their contact information is below.
Challenging Compliance with CH’s Privacy Policies and Practices
Any person may ask questions or challenge our compliance with this policy or with PHIPA or PIPEDA by contacting our Privacy Officer or the Dietitian or Coach that provided the Services to you. We will receive and respond to complaints or inquiries about ourpolicies and practices relating to the handling of personal information and personal health information. We will inform Users who make inquiries or lodge complaints of other available complaint procedures. We will investigate all complaints. If a complaint is found to be justified, we will take appropriate measures to respond.
The Information and Privacy Commissioner of Ontario oversees compliance with privacy rules and PHIPA, and the Privacy Commissioner of Canada oversees compliance with privacy rules and PIPEDA. Any individual can make an inquiry or complaint directly to the respective Commissioner by writing or calling:
Office of the Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8 Canada
Phone: 1 (800) 387-0073 (or (416) 326-3333 in Toronto)
Office of the Privacy Commissioner of Canada
30, Victoria Street
Gatineau, Quebec K1A 1H3 Canada
Phone: (819) 994-5444
TTY: (819) 994-6591