Updated June 9, 2015
“Personal health information” has the meaning given to it by applicable law (if any), and in any event includes information about an individual that (i) relates to the physical or mental health of the individual (including information that consists of the health history of the individual’s family), (ii) relates to the providing of healthcare to the individual (including the identification of a person as a provider of healthcare to the individual), or (iii) relates to payments or eligibility for healthcare, or eligibility for coverage for healthcare, in respect of the individual. For example, personal health information includes information about an individual’s health, the healthcare services the individual receives, payments for healthcare services for the individual and the individual’s health card number, and messages between an individual and a healthcare provider.
In Ontario, meshMD Inc. is subject to Ontario’s Personal Health Information Protection Act, 2004 (the “PHIPA”). Under PHIPA, when we provide services to Ontario healthcare providers and they or their patients provide personal health information to us in relation to those services, we act as an “agent” under PHIPA to that healthcare provider (in that healthcare provider’s capacity as a health information custodian under PHIPA).
We also provide services to healthcare providers in other jurisdictions, and in the course of providing those services may collect personal information, including personal health information, from them in order to provide services to them. Our collection, use and disclosure of that personal information are subject to all applicable laws.
We also provide services to individuals directly, and in the course of providing those services may collect personal information, including personal health information, from those individuals in order to provide services to them. Our collection, use and disclosure of that personal information are also subject to all applicable laws.
We collect personal information to provide you with services and support, establish contractual relationships and process payments. For example, we require your name and email address in order to provide you with access to our website. We will only ask you to provide the information required to complete your request or improve your service. You can always choose not to disclose information, but this may make it impossible for us to provide you with a particular service.
In some cases, we collect and use information provided by healthcare providers about their patients to provide services to the healthcare provider. As described above, we use this information to assist the healthcare provider in the provision of healthcare. A plain-language description of the services we provide to healthcare providers is available on our website at https://wellx.ca/terms/privacy.
In other cases, we collect and use information provided by individuals to provide them with services related to their healthcare. This can be information we collect on behalf of the individual’s healthcare provider (for example, personal information provided to us by a patient after being invited by a healthcare provider to use our services), or it can be information we collect from the individual for use in our delivery of services directly to the individual, on his or her own behalf. For example, we collect your name, email address and other demographic information to create your account.
To provide, maintain and improve our services, we also collect monitoring and auditing data in order to analyze, support and improve our services. For example, we may automatically track certain information about your visits to our website, such as your geographic location, computer type and the site from which you discovered us. We aggregate and/or anonymize this data before using or disclosing it. We do not collect personal health information for these purposes.
We will not sell, lease or trade your personal information to any third parties.
If you are an individual using our services, we may disclose your personal information to the healthcare providers to which you give access to that personal information in the course of using our services. For example, if you request or establish a relationship with a healthcare provider on our services, we will disclose your name and demographic information to that healthcare provider for their records.
We may from time to time use the services of affiliates, subsidiaries and unrelated service providers in the operation of our services, and may disclose your personal information to them in the course of our use of their services. For example, we may use the services of third-party hosting companies. This may involve the hosting of data, including personal information, on servers operated by those hosting companies. We take care to use only service providers that we believe are reputable and able to live up to our and your expectations, including about the handling of personal information.
We cooperate with law enforcement inquiries and demands for information that are made under force of law. Therefore, we may disclose your personal information (a) to any governmental authority as part of an investigation to determine our compliance with any applicable law, rule, or regulation (including privacy laws, rules, and regulations), (b) in response to a court order, subpoena, discovery request, or other lawful judicial or administrative proceeding, or (c) as otherwise required under any applicable law, rule, or regulation.
We may also disclose personal information to the acquirer or its agents in the course of the sale of our business. If we do this, the disclosure will be subject to confidentiality arrangements customary in such transactions.
Finally, please note that in some cases, information (not including personal health information) that we collect may be stored or processed outside of Canada. For example, when we send you an email or text message, we rely on services located in the United States of America. In such cases, we continue to protect the information with appropriate safeguards, but it may be subject to the legal jurisdiction of those countries and governmental authorities in those countries.
Limiting access to only those personnel who require the information to provide our services. We provide training to our personnel in compliance with our privacy practices. Unauthorized access, use and disclosure of personal information by our personnel is strictly prohibited, including disclosing information to a third party, family member or friend or using the information for personal benefit.
Retaining your personal information only as long as required to provide services to you or to comply with applicable laws. Specific retention periods vary depending on the nature of the information.
Encrypting your personal information when it is stored or transferred offsite and protecting our servers and other unencrypted storage with physical security.
Protecting our servers, databases and networks with state-of-the-art firewalls and encryption technology, including TLS/SSL, the industry standard for website encryption and security.
Auditing access to and modification of personal information, particularly personal health information, and requiring individualized accounts and strong passwords for access.
As a user of our services, you agree that you will adhere to the best practices described below to safeguard your personal information. If you are a healthcare provider, you also agree to ensure that your employees and agents adhere to these practices to protect your information and your patients’ information.
Specifically, you agree to:
Use your own personal email address and password when accessing our services. Do not share your password with any other person.
Provide personal information to us using only the following methods: (a) through our secure website, (b) by fax, with an attached Confidential Fax cover page, or (c) by phone, if required for support purposes. Email is not a secure method for transmitting personal information.
Maintain your software, devices and networks as required to ensure security. For example, you should apply software updates and use anti-virus or security software as applicable to your device.
Notify us immediately of any change to your personal or account information that may impact the security and privacy of personal information (for example, staffing, phone number and email address changes).
Notify us immediately of any privacy or security breach that may impact our service (for example, if your email account or password has been compromised).
Not attempt to circumvent any of our practices, policies or technical safeguards for the protection of personal information, or to aid another person in doing so.
You have the right to access and verify the personal information associated with your account. Access requests should be directed in writing to our Chief Privacy Officer, using the address provided at the end of this policy. We will respond to your request within thirty days.
We will not provide patients with access to information that we collect or use on behalf of their healthcare provider and that would not generally be accessible to a patient user through the use of our services. Requests for access to this information should be directed to the applicable healthcare provider, who may in turn request the information from us.
If you identify inaccuracies in our personal information, we will make an appropriate change in accordance with your instructions. If we are unable to change your information and you disagree with our decision, we will note your opinion in your file.
We respect your right to withdraw consent to the collection, use and disclosure of your personal information, subject to legal and contractual restrictions and reasonable notice. Upon receipt of a consent directive from an individual or their authorized representative, we will act on your instruction and, if applicable, inform the appropriate health information custodian of the implications. Withdrawing consent for the collection and use of your personal information may limit our ability to provide you with services.
You should direct any questions or concerns about our policy and practices and any access or correction requests to our Chief Privacy Officer:
64 Bakersfield Street
Phone: 1 (888) 502-7701
Our services to healthcare providers may include:
If you, as a patient, have any questions or concerns about these services, please contact us using the information above.