Shift Physiothérapie & Bien-être
politique de confidentialité
Aperçu
Shift Physiotherapy & Wellness s'engage à protéger les informations personnelles qui nous sont confiées par nos clients. Nous ne divulguerons pas vos informations personnelles sans consentement ou préavis raisonnable et légal, sauf lorsque la loi l'exige ou le permet. Nous gérons vos informations personnelles conformément à la Personal Information Protection Act de l'Alberta et aux autres lois applicables. Cette politique décrit les principes et les pratiques que nous suivons pour protéger vos informations personnelles. La politique s'applique également à toute personne fournissant des services en notre nom. Une copie de cette politique est fournie à tout client sur demande.
Notre engagement de confidentialité
Chez Shift Physiotherapy & Wellness, nous protégeons la vie privée des patients en :
-
Recueillir uniquement les renseignements personnels nécessaires pour fournir des services de physiothérapie.
-
Vous conseiller sur la manière dont vos informations pourraient être divulguées et obtenir votre consentement.
-
Protection de vos informations personnelles.
-
Partager vos informations personnelles uniquement aux fins indiquées et convenues dans un formulaire de consentement signé ou autrement autorisées par la loi.
-
Veiller à ce que tous les sous-traitants que nous engageons et qui pourraient avoir accès à vos informations protègent également la confidentialité de vos informations.
-
Formation du personnel et adaptation de l'espace de bureau pour assurer une protection maximale de votre vie privée.
-
S'assurer que les informations personnelles sont à jour, complètes et exactes.
-
Vous donner accès à vos informations personnelles et un mécanisme pour demander des corrections.
-
Avoir notre responsable de la confidentialité disponible pour répondre à vos questions.
-
Réviser périodiquement notre politique de confidentialité pour s'assurer qu'elle offre une protection adéquate pour vos informations personnelles.
Qu'est-ce que les informations personnelles ?
Les informations personnelles désignent les informations sur une personne identifiable. Cela comprend le nom, l'adresse du domicile, le numéro de téléphone, l'âge, le sexe, l'état matrimonial ou familial d'une personne, un numéro d'identification, des informations financières, des antécédents scolaires, etc.
Quelles informations personnelles collectons-nous ?
Nous collectons uniquement les informations personnelles dont nous avons besoin pour fournir des services à nos clients, y compris les informations personnelles nécessaires pour :
-
Ouvrir et mettre à jour un dossier patient
-
Réserver et envoyer des rappels pour les rendez-vous des patients
-
Gérer la facturation et le paiement
-
Évaluer, diagnostiquer et élaborer un programme de traitement approprié
-
Tenir à jour les dossiers des patients
Nous collectons normalement les informations client directement auprès de nos clients. Nous pouvons collecter vos informations auprès d'autres personnes avec votre consentement ou tel qu'autorisé par la loi.
Consentement
Nous demandons le consentement pour recueillir, utiliser ou divulguer les renseignements personnels des clients, sauf dans des circonstances particulières où la collecte, l'utilisation ou la divulgation sans consentement est autorisée ou requise par la loi. Nous vous demandons votre consentement exprès à certaines fins et il se peut que nous ne soyons pas en mesure de fournir certains services si vous ne souhaitez pas donner votre consentement à la collecte, à l'utilisation ou à la divulgation de certaines informations personnelles. Lorsqu'un consentement exprès est nécessaire, il est recueilli au moyen d'un formulaire de consentement en ligne. Un client peut retirer son consentement à l'utilisation et à la divulgation de renseignements personnels à tout moment. Nous pouvons collecter, utiliser ou divulguer les informations personnelles des clients sans consentement uniquement dans la mesure autorisée par la loi.
Avec qui partageons-nous vos informations ?
Vos coordonnées peuvent être divulguées à des prestataires de soins de santé/assureurs tiers lorsque des demandes de remboursement ont été soumises. Vos renseignements médicaux peuvent être partagés avec la WCB ou votre employeur si vous avez fait une demande de règlement à la WCB. Nous pouvons également partager vos informations avec d'autres professionnels de la santé qui vous fournissent également un traitement. Nous pouvons partager vos informations avec votre avocat, si vous avez été blessé dans un accident.
Où stockons-nous vos informations ?
Les informations personnelles sur la santé sont stockées sur notre fournisseur de services tiers Jane. Nous avons choisi ce système en partie pour leur engagement envers la sécurité. Leur politique de confidentialité peut être trouvée ici :https://jane.app/privacy.
Nous stockons les enregistrements électroniques sur du matériel sécurisé, utilisons un logiciel antivirus et des mots de passe sur tous les ordinateurs et veillons à protéger les moniteurs d'écran du visionnement public. Les informations électroniques sont transférées dans des fichiers sécurisés et rendues anonymes dans la mesure du possible. Nous ne partageons pas vos informations personnelles en dehors de notre bureau à des fins de marketing, de promotion, de publicité, d'éducation ou de recherche sans votre consentement._cc781905 -5cde-3194-bb3b-136bad5cf58d_ Nous formons le personnel à traiter vos informations uniquement par le biais des mesures protégées décrites dans nos procédures de confidentialité. Si des consultants ou des entrepreneurs sont embauchés, nous prenons des mesures pour nous assurer que le consultant ou l'entrepreneur protège également votre vie privée.
Comment protégeons-nous les informations personnelles ?
Nous comprenons que la protection des renseignements personnels dans un environnement de soins de santé est extrêmement importante. Nous stockons et utilisons vos informations personnelles sur des serveurs qui satisfont à la conformité HIPAA, et l'accès à ces informations est sécurisé par les exigences de mot de passe standard de l'industrie et 2FA (authentification à deux facteurs). Lorsque des services tiers sont utilisés, des accords séparés garantissant la sécurité de vos informations ont été conclus. Les propriétaires de l'entreprise bénéficient d'un accès complet aux informations personnelles et les employés ne reçoivent que les informations nécessaires pour s'acquitter de leurs responsabilités. Nous formons également notre personnel/sous-traitants pour gérer vos informations par le biais des mesures décrites dans notre politique de confidentialité.
Et s'il y a une faille de sécurité ?
Nous aviserons sans délai le Commissariat à l'information et à la protection de la vie privée de l'Alberta ainsi que les clients concernés d'une atteinte à la sécurité impliquant des renseignements personnels. Le responsable de la protection de la vie privée traitera ces situations si elles se présentent.
Combien de temps conservons-nous vos données ?
Nous sommes tenus par la législation de conserver les dossiers contenant des informations personnelles pendant 10 ans. Dans le cas d'un mineur, nous sommes tenus de conserver des registres 10 ans après le dix-huitième anniversaire du mineur. Lors de la destruction des informations personnelles des clients, des mesures appropriées sont prises pour rendre les données irrécupérables.
Accéder et corriger vos informations personnelles ?
Vous pouvez accéder à vos informations personnelles en demandant à un membre du personnel qui peut vous référer à notre responsable de la confidentialité. Nous tenterons de vous aider à comprendre les raisons pour lesquelles nous collectons, stockons et utilisons les informations contenues dans vos dossiers. Vous pouvez demander une modification de vos informations personnelles si elles sont inexactes, incomplètes, obsolètes ou si vous pensez qu'il y a une erreur factuelle. Vous pouvez également demander une copie de votre dossier patient. Les copies demandées seront fournies dans un délai raisonnable. S'il y a des frais pour le coût de production d'une copie, nous vous informerons du coût à l'avance.
Questions et réclamations
Si vous avez une question ou une préoccupation concernant la collecte, l'utilisation ou la divulgation d'informations personnelles par Shift Physiotherapy & Wellness, ou concernant une demande d'accès à vos propres informations personnelles, veuillez contacter Kristen Redhead, responsable de la confidentialité àinfo@shiftptwellness.com
Si vous n'êtes pas satisfait de la réponse que vous recevez, vous devez contacter le commissaire à l'information et à la protection de la vie privée de l'Alberta :
Bureau du commissaire à l'information et à la protection de la vie privée de l'Alberta
Bureau 2460, 801 - 6 Avenue, SW Calgary, Alberta T2P 3W2
Téléphone : 403-297-2728 Sans frais : 1-888-878-4044
Courriel : generalinfo@oipc.ab.ca Site Web :www.oipc.ab.ca
Physiotherapy Alberta - Collège + Association
300, 10357 - 109e rue, Edmonton (Alberta) T5J 1N3
Téléphone : 780-438-0338 Sans frais 1-800-291-2782 Fax 780-436-1908
Courriel : info@physiotherapyalberta.ca Site Web :www.physiotherapyalberta.ca
politique de confidentialité
Health Information Privacy & Security Policy: Chiropractic
Overview
At Shift Physiotherapy & Wellness our staff abide by specific privacy policies and procedures depending on the type of services rendered. For patients who are receiving chiropractic care, our privacy policies are based on the Health Information Act and are outlined in this particular policy.
If you are coming for other services, such as physiotherapy, registered massage therapy or naturopathic medicine please refer to our other privacy policy entitled, “Personal Information Privacy Policy: Physiotherapy, Massage Therapy & Naturopathic Medicine”, which falls under PIPA legislation.
Regardless of the policy, Shift Physiotherapy & Wellness is committed to safeguarding the personal information entrusted to us by our clients. We manage your personal information that is collected for or during chiropractic care in accordance with the Health Information Act and other applicable laws and legislations. This policy outlines the principles and practices we follow in protecting your personal information. The policy also applies to any person providing services on our behalf. A copy of this policy is provided to any client on request.
Our privacy commitment
At Shift Physiotherapy & Wellness, we protect patient privacy by:
-
Collecting only the personal information required to provide chiropractic services.
-
Advising you how your information might be disclosed and when we are required to obtain your consent.
-
Safeguarding your personal information.
-
Sharing your personal information only for the purposes stated in the Health Information Act (HIA) or otherwise permitted by law.
-
Ensuring any contractors we hire who may have access to your information also protect the privacy of your information.
-
Training staff and adapting the office space to ensure maximum protection of your privacy.
-
Ensuring personal information is current, complete and accurate.
-
Providing you access to your personal information and a mechanism for requesting corrections.
-
Having our privacy officer and security officer available to answer your questions.
-
Periodically reviewing our privacy policy to ensure it provides adequate protection for your personal information.
What is personal information?
Personal information means information about an identifiable individual. This includes an individual’s name, home address, phone number, age, sex, marital or family status, an identifying number, financial information, educational history, etc.
What personal/health information do we collect?
At Shift Physiotherapy & Wellness, we understand that your health information is sensitive and private. We collect your health information only for specific and legitimate purposes and only with your consent, unless otherwise authorized by law.
The Health Information Act (HIA) sets out the statutory authority for the collection of health information in Alberta, Canada. We collect your health information in accordance with the HIA, which allows for the collection of health information for specific purposes, including:
-
Providing you with health care services or treatment
-
Managing and administering the health care system
-
Conducting research, provided that the research is conducted in accordance with applicable laws and regulations
-
Fulfilling legal or regulatory requirements, including reporting of communicable diseases and other public health risks
-
Supporting law enforcement investigations, where authorized by law
We may also collect your health information with your consent or as otherwise permitted by law. We will only collect the minimum amount of health information necessary to achieve the specified purposes, and we will take appropriate measures to protect the confidentiality and security of your health information.
Some examples of acceptable uses of health information in a multidisciplinary health clinic under the HIA include:
-
Providing you with treatment, including assessment, diagnosis, and treatment planning
-
Communicating with other health care providers involved in your care, such as your physician or specialist, to ensure coordinated and effective care
-
Conducting quality assurance activities to ensure that we are providing the highest standard of care
-
Providing education and health promotion activities, such as workshops or seminars, to help you manage your condition and improve your health
-
Billing for services provided, including submitting claims to your insurer or third party payor
We will only use your health information for legitimate purposes and will take appropriate measures to protect the confidentiality and security of your health information.
Consent
We ask for consent to collect, use or disclose client health information, except in specific circumstances where collection, use or disclosure without consent is authorized under the Health Information Act or by law. We ask for your express consent for some purposes and may not be able to provide certain services if you are unwilling to provide consent to the collection, use or disclosure of certain personal information. Where express consent is needed, it is collected through an online consent form. A client may withdraw consent to the use and disclosure of personal information at any time.
How do we maintain accuracy of your health information?
We are committed to maintaining the accuracy of your health information. We accept written requests to change your health information on file should an error be made. You have the right to access and correct your personal and health information held by us. If you would like
you access or correct your information, please contact our privacy officer. You can expect the privacy officer to respond to your request within 30 days. The privacy officer will be able to provide you with information regarding how we make decisions on whether to grant or refuse a correction request. These policies are based on the Health Information Act (HIA).
What privacy training do our employees receive?
We take our obligations under the Health Information Act (HIA) seriously and are committed to protecting the privacy and confidentiality of individuals' health information. As part of our commitment to maintaining high standards of privacy and security, we ensure that all staff members receive appropriate training on the HIA, as well as on our organizational policies and procedures for protecting personal health information. We require all new staff to complete privacy and security training as part of their orientation, and we provide ongoing training rto ensure that all staff remain up-to-date on their obligations under the HIA. This training includes instruction on the collection, use, disclosure and protection of personal health information, as well as on the importance of maintaining the confidentiality and security of this information. We also require all staff to sign a confidentiality agreement to ensure that they understand their obligations with respect to protecting personal health information.
How do we maintain technical and administrative safeguards to protect health information?
To ensure the safety and confidentiality of your health information, we maintain technical and administrative safeguards that comply with applicable laws and regulations. Our technical safeguards include secure data storage and transmission, firewalls, encryption, and regular security updates. Our administrative safeguards include access controls, employee training, and ongoing monitoring of our systems to detect and prevent any unauthorized access or use of your health information.
We understand that the protection of your health information is a crucial aspect of our business, and we take this responsibility seriously. We commit to continuously
improving our technical and administrative safeguards to ensure that your health information remains secure and confidential.
What is our schedule for periodic review of privacy policies?
As part of our commitment to continuously improve our privacy practices, we conduct periodic reviews of our privacy policies to ensure that they are up-to-date and compliant with applicable laws and regulations.
Our privacy policies are reviewed on an annual basis, or more frequently if necessary. During these reviews, we assess any changes to our data collection, processing, storage, and sharing practices to ensure that they align with our commitment to protecting your privacy.
We also take into account any feedback received from our customers or other stakeholders regarding our privacy practices during these reviews. If any updates or changes are made to our privacy policies, we will notify you through our website.
We understand the importance of keeping our privacy policies current and relevant, and we strive to ensure that they reflect our commitment to protecting your privacy.
Access to health Information
Under the Alberta Health Information Act (HIA), individuals have the right to request their own health information that is in our custody or control. If you wish to access your health information, you can make a written request to our organization. We will send you a form to fill out to make a formal access request. We will respond to your request in accordance with the timelines and requirements set out in the HIA, which is currently 30 days.
Please note that there may be certain circumstances where we are unable to provide you with the access to all or part of your health information, such as if the disclosure of the information could harm your physical or mental health or if it contains confidential third-party information. In such cases, we will provide you with a written explanation of why access was denied and your rights to appeal the decision.
If you have any questions or concerns about how we handle your personal health information or wish to make a request for access, please contact our privacy officer.
Shift Physiotherapy & Wellness will abide by the fee guidelines set in the “Regulated fee schedule under the Health Information Act (HIA).” Please contact our privacy for an outline of the associated fees.
With whom do we share your information?
At Shift Physiotherapy & Wellness, we understand the importance of protecting the privacy and confidentiality of our clients' health information. However, there are certain circumstances in which we may need to disclose this information to other organizations or persons. Below we outline those circumstances and explain our procedures for disclosure as outlined by the Health Information Act (HIA).
Disclosure with Consent:
Except for limited circumstances specified in the HIA, Shift Physiotherapy & Wellness will get your written consent before releasing information to a third party, such as a family member, lawyer, or insurance company. Consent allows for disclosure to anyone for any purpose, according to the terms of the consent.
Disclosure without Consent:
The HIA provides limited and specific circumstances where we can disclose your information to a third party without your consent. Some examples include disclosing information:
-
to another custodian, for the purpose of providing an individual with health services
-
to any person, if the custodian reasonably believes that the disclosure will avert or minimize a risk of harm to the health or safety of a minor, or an imminent danger to any person
-
if authorized or required by another enactment of Alberta or Canada, for example, the Public Health Act to a police service if the custodian reasonably believes the information relates to the possible commission of an offense under an enactment of Alberta or Canada, for example, the Criminal Code of Canada, and the disclosure will protect the health and safety of Albertans
Disclosure of Non-Identifying Information:
In some cases, we may disclose non-identifying information about your health, such as statistics or aggregated data, to other organizations or persons for research or public health purposes. This information does not include any personally identifiable information and cannot be used to identify you.
Keeping a Record of Disclosure:
We keep a record of all disclosures of your health information, including the name of the person or organization to whom the information was disclosed and the purpose of the disclosure.
Disclosure Notice:
In the event that we disclose your health information to another organization or person, we will provide you with notice of the disclosure as required by law. This notice will include the name of the person or organization to whom the information was disclosed and the purpose of the disclosure.
At Shift Physiotherapy & Wellness, we take our responsibility to protect your privacy very seriously. We will only disclose your health information in accordance with the HIA, applicable laws and regulations. If you have any questions or concerns about our disclosure procedures, please do not hesitate to contact us.
How do we classify information?
Our organization is committed to protecting the confidentiality, integrity, and availability of personal health information in accordance with the Health Information Act (HIA) and other applicable legislation and professional standards. To achieve this, we classify health information based on its sensitivity and use this classification to determine the most appropriate level of security.
Health information is classified into one of three levels of sensitivity based on the degree of potential harm or damage that could result from unauthorized access, use, or disclosure:
Level 1 - Low sensitivity: Health information that, if compromised, would result in little to no harm or damage. Examples include basic demographic information, such as name and address, and information related to routine medical procedures.
Level 2 - Medium sensitivity: Health information that, if compromised, could result in some harm or damage. Examples include mental health information, addiction-related information, and information related to infectious diseases.
Level 3 - High sensitivity: Health information that, if compromised, could result in significant harm or damage. Examples include genetic information, HIV status, and information related to mental health or substance use disorders.
Once health information has been classified, we use this classification to determine the most appropriate level of security. This includes implementing administrative, technical, and physical safeguards that are commensurate with the sensitivity of the information and the risks associated with its collection, use, disclosure, and retention.
Our organization's Privacy Officer is responsible for overseeing the classification of health information and ensuring that appropriate security measures are in place. We are committed to protecting the privacy and confidentiality of personal health information and ensuring that it is handled in a manner that is consistent with legislative requirements.
How do we handle research requests?
At Shift Physiotherapy & Wellness, we recognize the importance of protecting the privacy and confidentiality of our clients' health information. We also understand the value of research in advancing medical knowledge and improving healthcare outcomes. This privacy policy clause outlines our procedures for handling research requests and agreements with researchers under Sections 48-56 of the Health Information Act (HIA).
Approval Process for Research Requests:
All research requests must be submitted to Shift Physiotherapy & Wellness’ privacy officer for review and approval. The privacy officer will consult with independent experts in the field of medical research, and they will review the request to ensure that it meets ethical and legal
standards for the use of health information. The privacy officer will also evaluate the potential risks and benefits of the research and consider any privacy concerns that may arise.
Agreements with Researchers:
Before we disclose any health information to a researcher, we require them to sign a written agreement that outlines the conditions under which they will access and use the information. This agreement will include provisions to ensure the confidentiality and security of the information, and it will require the researcher to comply with all applicable laws and regulations. The agreement will also specify the purposes for which the information will be used and will prohibit any further use or disclosure of the information without our express consent.
In cases where the research is being conducted by an external organization or institution, we will enter into a formal agreement with that organization or institution to ensure that they are bound by the same confidentiality and security requirements as our own employees.
We take our responsibility to protect the privacy and confidentiality of our clients' health information very seriously, and we will only disclose information for research purposes when we have obtained the necessary approvals and agreements. If you have any questions or concerns about our research procedures, please do not hesitate to contact our Privacy Officer.
How do we ensure that third parties, which include contractors and information managers, protect your health information?
At Shift Physiotherapy & Wellness, protecting your health information is of utmost importance. We understand that third-party contractors and information managers may have access to your personal information in the course of their work. We have implemented the following measures to ensure that third-party contractors and information managers protect your health information:
Privacy Requirements for Third-Parties:
We require that all third-party contractors and information managers sign a confidentiality agreement before they are granted access to your health information. This agreement outlines their responsibility to protect your health information and to comply with all applicable privacy laws and regulations.
Review of Third-Party Compliance:
We regularly review third-party compliance with our privacy requirements to ensure that they are protecting your health information in accordance with our policies. If a third-party contractor or information manager is found to be non-compliant with our privacy requirements, we take immediate action to address the issue.
Requirements for Out-of-Province Information Managers:
We understand that some third-party information managers may be located outside of the province. In these cases, we require that the information manager complies with all applicable privacy laws and regulations in their jurisdiction, as well as our privacy requirements.
How often are Privacy Impact Assessments conducted?
Under Section 64 of the Health Information Act (HIA), a custodian is required to prepare a PIA any time there are new, or if there are changes to, existing administrative practices or information systems relating to the collection, use or disclosure of individually identifying health information. Our organization's Privacy Officer is responsible for ensuring our appointed custodian conducts PIAs and ensuring compliance with the HIA. PIAs are reviewed annually by our appointed custodian or whenever there is a significant change to our organization's information management practices or technologies.
What are our policies for record retention and disposition?
Our organization is committed to maintaining the confidentiality, privacy, and security of personal health information in accordance with the HIA. We keep records containing health
information for as long as necessary to fulfill the purposes for which they were collected, and as required by law or professional standards.
We follow the records retention and disposition schedules recommended by the Alberta Health Records Act (HRA), the HIA, and other applicable legislation and professional standards. These schedules provide guidance on the minimum retention periods for different types of health information, as well as the disposition requirements when records are no longer needed. According to the Health Information Act, currently Shift Physiotherapy & Wellness is required to retain diagnostic and treatment records for 10 years after the date of discharge, or 2 years after the patient reaches or would have reached the age of 18, whichever is longer.
Once records containing health information are no longer needed, we ensure that they are securely disposed of in accordance with our organization's policies and procedures, as well as applicable legislation and professional standards. This includes the use of appropriate security measures such as shredding, burning, or secure electronic deletion to prevent unauthorized access, use, or disclosure of personal health information.
Our organization's Privacy Officer is responsible for overseeing the secure disposal of health information and ensuring compliance with the HIA and other applicable legislation and professional standards. We are committed to protecting the privacy and confidentiality of personal health information and ensuring that it is handled in a manner that is consistent with legislative requirements.
Where do we store your information?
Personal health information is stored on our third party service provider Jane App. We chose this system partly for their commitment to security. Their privacy policy can be found here: https://jane.app/privacy.
We store electronic records on secured hardware, use antivirus software and passwords on all computers and take care to protect screen monitors from public viewing. Electronic information is transferred in secure files and made anonymous wherever possible. We do not share your personal information outside our office for any marketing, promotional, publicity, educational, or research purposes without your consent. We train staff to handle your information only through the protected measures outlined in our privacy procedures. If consultants or contractors are hired, we take steps to ensure the consultant or contractor also protects your privacy.
How do we safeguard personal information?
We understand that the safeguarding of personal information in a health care environment is extremely important. Jane App stores and utilizes personal information on servers that satisfy HIPAA compliance, and access to that information is secured by industry standard password requirements and 2FA (Two Factor Authentication). Where third party services are used, separate agreements ensuring the safety of your information have been transacted. Owners of the company are granted full access to personal information, and employees/contractors are only granted the information that is required to fulfill their responsibilities. We also train our staff/contractors to handle your information through the measures outlined in our privacy policy.
How do we conduct risk assessments?
Shift Physiotherapy & Wellness is committed to protecting the privacy and confidentiality of personal health information in accordance with the Health Information Act (HIA) and other applicable legislation and professional standards. To ensure the effectiveness of our privacy policies and practices, we conduct periodic risk assessments.
These risk assessments are designed to identify potential threats, vulnerabilities, and risks to the privacy and confidentiality of personal health information, as well as the effectiveness of our existing privacy policies and practices. The risk assessments consider factors such as the nature and sensitivity of the information we collect, use, disclose, and retain, as well as the administrative, technical, and physical safeguards we have in place to protect it.
Based on the results of the risk assessments, we update our privacy policies and practices as necessary to address any identified risks and ensure ongoing compliance with legislative requirements and professional standards. We also provide training and education to our workforce on any updates to our privacy policies and practices.
Our organization's Privacy Officer is responsible for overseeing the risk assessment process and ensuring that appropriate actions are taken to address any identified risks. We are committed to continuously improving our privacy policies and practices to protect the privacy and confidentiality of personal health information.
What do we do to ensure physical security of data and equipment?
Our organization is committed to protecting the privacy and confidentiality of personal health information in accordance with the Health Information Act (HIA) and other applicable legislation and professional standards. To achieve this, we have implemented physical and administrative safeguards to secure health information in both paper and electronic form.
Physical safeguards:
We secure our workspaces by limiting access to authorized personnel only and locking our offices and file cabinets when not in use.
We ensure that computers, fax machines, copiers, and other office equipment are located in secure areas and that they are password-protected.
We use a privacy function on our charting software to prevent unauthorized individuals from viewing health information displayed on computer monitors.
We ensure that mobile equipment, such as notebook computers and mobile data storage devices, are physically secured when not in use and that they are password-protected.
Administrative safeguards:
We limit access to health information to authorized personnel only, and we ensure that our workforce members are trained on our policies and procedures related to the protection of personal health information.
We regularly update our office computer security software to protect against unauthorized access, viruses, and malware.
We use strong passwords and change them periodically to prevent unauthorized access.
We use secure methods for disposing of paper records containing health information, such as shredding, and we ensure that electronic records are securely deleted or destroyed when no longer needed.
What do we do to ensure business continuity?
Shift Physiotherapy & Wellness recognizes the importance of ensuring that personal health information is available when needed, and has implemented measures to ensure the availability, integrity, and confidentiality of personal health information.
Data backup:
Our organization uses the Jane App charting software. Jane uses mirrored database servers (which act as real-time backups) so in the unlikely event that something happens in the data center, Jane can flip over immediately to use the other database server. Jane also performs nightly off-site backups, just as an additional precautionary measure.
Disaster recovery:
Our organization has a disaster recovery plan in place that is regularly reviewed and updated to reflect changes in technology, business needs, and regulatory requirements.
The disaster recovery plan includes procedures for restoring critical systems and applications, as well as procedures for restoring personal health information from backups.
Jane App data is stored in a secure facility, complete with the latest security, authorization, and surveillance technologies. Jane App data center is, at minimum, SOC 2 audit and compliant. Jane's data is also backed up nightly to an offsite location in Quebec. Our data centers all do annual SOC2 compliance audits and reports.
As well, for disaster recovery, Amazon Web Services (AWS) provides at least 2 geographically separated data centers, and our backups are stored across all the data centers so that even if one goes down, the data could be retrieved from the other.
AWS data centers are in the Montreal area for our Canadian customers. Data resides on Canadian soil
Business needs:
Our data backup and disaster recovery plans are based on our business needs and the criticality of personal health information to the ongoing operations of our organization.
We regularly review our business needs and the criticality of personal health information to ensure that our data backup and disaster recovery plans are appropriate and effective.
What do we do for network and communications security?
Shift Physiotherapy & Wellness has implemented measures to secure our network and communications infrastructure.
Malware (anti-virus) protection:
We use anti-virus software to protect our computer systems and network from viruses, malware, and other types of malicious software.
We ensure that our anti-virus software is up-to-date and that it is configured to scan all incoming and outgoing data.
Firewalls:
We use firewalls to control and monitor incoming and outgoing network traffic. The Cisco Meraki MX67 network security appliance has an extensive suite of security features, including IDS/IPS, content filtering, web search filtering, anti-malware, geo-IP-based firewalling, IPsec VPN connectivity, and Cisco Advanced Malware Protection, while providing the performance required for modern, bandwidth-intensive networks
We configure our firewalls to restrict unauthorized access to our network and to block unauthorized attempts to access personal health information.
Intrusion detection systems:
We have enabled both intrusion detection/prevention systems and advanced malware protection on our firewall to monitor our network for unauthorized access and suspicious activity.
We configure our intrusion detection systems to alert us in the event of a security breach or attempted breach.
Our charting software, Jane App, has enabled AW’s security features like intrusion protection system and web application firewall.
Encryption:
We use encryption to protect personal health information when it is transmitted over public networks, such as the internet.
We use secure encryption protocols, such as Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP), to ensure that personal health information is protected during transmission.
Data that passes through our charting software, Jane App, is encrypted, both at transit and at rest. Jane App also encrypts all volumes where customer data is stored, and we also individually encrypt all backups. Data in transit is encrypted using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM and at rest using AES 256 encryption.
What do we have in place for access controls?
At Shift Physiotherapy & Wellness we have implemented measures to ensure that only authorized users have access to personal health information.
Identification and verification:
We assign unique usernames and passwords to each authorized user of our health information system.
We require users to create strong passwords.
We always suggest to our staff that they use multi-factor authentication, such as tokens, to verify their identity when accessing personal health information.
Deciding what information users need to access:
We limit access to personal health information based on the user's job responsibilities and the minimum amount of information necessary to perform their job duties.
We review and update user access permissions regularly to ensure that users only have access to the information they need to perform their job duties.
Making changes when users change positions or leave:
We have a process in place to remove access to personal health information when a user changes positions or leaves our organization.
We require users to notify us immediately if they suspect that their username or password has been compromised.
What policy do we have in place for change controls?
Shift Physiotherapy & Wellness has implemented the following measures to ensure that changes to our systems do not adversely affect the confidentiality, integrity, or availability of personal health information:
Change Management:
Our organization has a change management process in place to ensure that all changes to systems, software, and hardware are properly evaluated, tested, and approved before implementation.
Our change management process includes a risk assessment to determine the potential impact of the change on the confidentiality, integrity, or availability of personal health information.
Changes that have the potential to adversely affect the confidentiality, integrity, or availability of personal health information are subject to additional review and approval.
Testing:
All changes to systems, software, and hardware are tested thoroughly before implementation to ensure that they do not adversely affect the confidentiality, integrity, or availability of personal health information.
Monitoring:
Our organization monitors our systems, software, and hardware on an ongoing basis to ensure that they are operating correctly and that personal health information remains confidential, intact, and available.
What if there is a security breach?
We will, without delay, notify the Office of the Information and Privacy Commissioner of Alberta as well as affected clients of a security breach involving personal information. The Privacy Officer will handle these situations if they arise.
At Shift Physiotherapy & Wellness, we take privacy and security breaches very seriously. We have established a comprehensive framework for responding to such incidents to minimize any potential harm or impact on our customers or users.
Privacy and security breaches can fall under different categories, including unauthorized access or disclosure of personal information, data breaches, hacking attempts, and others. We have implemented appropriate technical and administrative safeguards to prevent such incidents from occurring, but in the event of a breach, we will take the necessary steps to investigate and mitigate the issue promptly.
Our response to privacy and security breaches includes appropriate sanctions for individuals who are found to have violated our privacy policies or applicable laws and regulations. Depending on the severity and nature of the breach, sanctions may include disciplinary action, further training, termination of employment or contract, legal action, or other appropriate measures.
We also take steps to notify affected individuals and regulatory authorities, where applicable, in the event of a privacy or security breach. This includes providing clear and transparent communication about the nature and extent of the breach, the steps we are taking to address it, and any actions affected individuals can take to protect themselves.
What if I have questions or concerns regarding privacy or security?
If you have a question or concern about any collection, use or disclosure of personal information by Shift Physiotherapy & Wellness, or about a request for access to your own personal information, please contact Kristen Redhead, Privacy Officer/Security Officer at info@shiftptwellness.com
If you are not satisfied with the response you receive, you should contact the Information and Privacy Commissioner of Alberta:
Office of the Information and Privacy Commissioner of Alberta
Suite 2460, 801 - 6 Avenue, SW Calgary, Alberta T2P 3W2
Phone: 403-297-2728 Toll Free: 1-888-878-4044
E-mail: generalinfo@oipc.ab.ca Website: www.oipc.ab.ca