​

Health Information Privacy & Security Policy: Chiropractic

 

Overview

At Shift Physiotherapy & Wellness our staff abide by specific privacy policies and procedures depending on the type of services rendered. For patients who are receiving chiropractic care, our privacy policies are based on the Health Information Act and are outlined in this particular policy. 

If you are coming for other services, such as physiotherapy, registered massage therapy or naturopathic medicine please refer to our other privacy policy entitled, “Personal Information Privacy Policy: Physiotherapy, Massage Therapy & Naturopathic Medicine”, which falls under PIPA legislation.

Regardless of the policy, Shift Physiotherapy & Wellness is committed to safeguarding the personal information entrusted to us by our clients. We manage your personal information that is collected for or during chiropractic care in accordance with the Health Information Act and other applicable laws and legislations. This policy outlines the principles and practices we follow in protecting your personal information. The policy also applies to any person providing services on our behalf. A copy of this policy is provided to any client on request. 

 

Our privacy commitment 

At Shift Physiotherapy & Wellness, we protect patient privacy by: 

• Collecting only the personal information required to provide chiropractic services.

• Advising you how your information might be disclosed and when we are required to obtain your consent.

• Safeguarding your personal information. 

• Sharing your personal information only for the purposes stated in the Health Information Act (HIA) or otherwise permitted by law. 

• Ensuring any contractors we hire who may have access to your information also protect the privacy of your information. 

• Training staff and adapting the office space to ensure maximum protection of your privacy.

• Ensuring personal information is current, complete and accurate. 

• Providing you access to your personal information and a mechanism for requesting corrections. 

• Having our privacy officer and security officer available to answer your questions. 

• Periodically reviewing our privacy policy to ensure it provides adequate protection for your personal information.

 

What is personal information?

Personal information means information about an identifiable individual. This includes an individual’s name, home address, phone number, age, sex, marital or family status, an identifying number, financial information, educational history, etc.

 

What personal/health information do we collect?

At Shift Physiotherapy & Wellness, we understand that your health information is sensitive and private. We collect your health information only for specific and legitimate purposes and only with your consent, unless otherwise authorized by law.

The Health Information Act (HIA) sets out the statutory authority for the collection of health information in Alberta, Canada. We collect your health information in accordance with the HIA, which allows for the collection of health information for specific purposes, including:

• Providing you with health care services or treatment

• Managing and administering the health care system

• Conducting research, provided that the research is conducted in accordance with applicable laws and regulations

• Fulfilling legal or regulatory requirements, including reporting of communicable diseases and other public health risks

• Supporting law enforcement investigations, where authorized by law

 

We may also collect your health information with your consent or as otherwise permitted by law. We will only collect the minimum amount of health information necessary to achieve the specified purposes, and we will take appropriate measures to protect the confidentiality and security of your health information.

Some examples of acceptable uses of health information in a multidisciplinary health clinic under the HIA include:

• Providing you with treatment, including assessment, diagnosis, and treatment planning

• Communicating with other health care providers involved in your care, such as your physician or specialist, to ensure coordinated and effective care

• Conducting quality assurance activities to ensure that we are providing the highest standard of care

• Providing education and health promotion activities, such as workshops or seminars, to help you manage your condition and improve your health

• Billing for services provided, including submitting claims to your insurer or third party payor

 

We will only use your health information for legitimate purposes and will take appropriate measures to protect the confidentiality and security of your health information.

 

Consent

We ask for consent to collect, use or disclose client health information, except in specific circumstances where collection, use or disclosure without consent is authorized under the Health Information Act or by law. We ask for your express consent for some purposes and may not be able to provide certain services if you are unwilling to provide consent to the collection, use or disclosure of certain personal information. Where express consent is needed, it is collected through an online consent form. A client may withdraw consent to the use and disclosure of personal information at any time. 

 

How do we maintain accuracy of your health information?

We are committed to maintaining the accuracy of your health information. We accept written requests to change your health information on file should an error be made. You have the right to access and correct your personal and health information held by us. If you would like 

 

you access or correct your information, please contact our privacy officer. You can expect the privacy officer to respond to your request within 30 days. The privacy officer will be able to provide you with information regarding how we make decisions on whether to grant or refuse a correction request. These policies are based on the Health Information Act (HIA).

 

What privacy training do our employees receive?

We take our obligations under the Health Information Act (HIA) seriously and are committed to protecting the privacy and confidentiality of individuals' health information. As part of our commitment to maintaining high standards of privacy and security, we ensure that all staff members receive appropriate training on the HIA, as well as on our organizational policies and procedures for protecting personal health information. We require all new staff to complete privacy and security training as part of their orientation, and we provide ongoing training rto ensure that all staff remain up-to-date on their obligations under the HIA. This training includes instruction on the collection, use, disclosure and protection of personal health information, as well as on the importance of maintaining the confidentiality and security of this information. We also require all staff to sign a confidentiality agreement to ensure that they understand their obligations with respect to protecting personal health information. 

 

How do we maintain technical and administrative safeguards to protect health information?

To ensure the safety and confidentiality of your health information, we maintain technical and administrative safeguards that comply with applicable laws and regulations. Our technical safeguards include secure data storage and transmission, firewalls, encryption, and regular security updates. Our administrative safeguards include access controls, employee training, and ongoing monitoring of our systems to detect and prevent any unauthorized access or use of your health information.

We understand that the protection of your health information is a crucial aspect of our business, and we take this responsibility seriously. We commit to continuously 

 

improving our technical and administrative safeguards to ensure that your health information remains secure and confidential.

 

What is our schedule for periodic review of privacy policies?

As part of our commitment to continuously improve our privacy practices, we conduct periodic reviews of our privacy policies to ensure that they are up-to-date and compliant with applicable laws and regulations.

Our privacy policies are reviewed on an annual basis, or more frequently if necessary. During these reviews, we assess any changes to our data collection, processing, storage, and sharing practices to ensure that they align with our commitment to protecting your privacy.

We also take into account any feedback received from our customers or other stakeholders regarding our privacy practices during these reviews. If any updates or changes are made to our privacy policies, we will notify you through our website.

We understand the importance of keeping our privacy policies current and relevant, and we strive to ensure that they reflect our commitment to protecting your privacy.

 

Access to health Information

Under the Alberta Health Information Act (HIA), individuals have the right to request their own health information that is in our custody or control. If you wish to access your health information, you can make a written request to our organization. We will send you a form to fill out to make a formal access request. We will respond to your request in accordance with the timelines and requirements set out in the HIA, which is currently 30 days. 

 

Please note that there may be certain circumstances where we are unable to provide you with the access to all or part of your health information, such as if the disclosure of the information could harm your physical or mental health or if it contains confidential third-party information. In such cases, we will provide you with a written explanation of why access was denied and your rights to appeal the decision. 

 

If you have any questions or concerns about how we handle your personal health information or wish to make a request for access, please contact our privacy officer.

 

Shift Physiotherapy & Wellness will abide by the fee guidelines set in the “Regulated fee schedule under the Health Information Act (HIA).” Please contact our privacy for an outline of the associated fees.

 

With whom do we share your information?

At Shift Physiotherapy & Wellness, we understand the importance of protecting the privacy and confidentiality of our clients' health information. However, there are certain circumstances in which we may need to disclose this information to other organizations or persons. Below we outline those circumstances and explain our procedures for disclosure as outlined by the Health Information Act (HIA).

Disclosure with Consent:

Except for limited circumstances specified in the HIA, Shift Physiotherapy & Wellness will get your written consent before releasing information to a third party, such as a family member, lawyer, or insurance company. Consent allows for disclosure to anyone for any purpose, according to the terms of the consent.

Disclosure without Consent:

The HIA provides limited and specific circumstances where we can disclose your information to a third party without your consent. Some examples include disclosing information:

• to another custodian, for the purpose of providing an individual with health services

• to any person, if the custodian reasonably believes that the disclosure will avert or minimize a risk of harm to the health or safety of a minor, or an imminent danger to any person

• if authorized or required by another enactment of Alberta or Canada, for example, the Public Health Act to a police service if the custodian reasonably believes the information relates to the possible commission of an offense under an enactment of Alberta or Canada, for example, the Criminal Code of Canada, and the disclosure will protect the health and safety of Albertans

 

Disclosure of Non-Identifying Information:

In some cases, we may disclose non-identifying information about your health, such as statistics or aggregated data, to other organizations or persons for research or public health purposes. This information does not include any personally identifiable information and cannot be used to identify you.

Keeping a Record of Disclosure:

We keep a record of all disclosures of your health information, including the name of the person or organization to whom the information was disclosed and the purpose of the disclosure. 

Disclosure Notice:

In the event that we disclose your health information to another organization or person, we will provide you with notice of the disclosure as required by law. This notice will include the name of the person or organization to whom the information was disclosed and the purpose of the disclosure.

At Shift Physiotherapy & Wellness, we take our responsibility to protect your privacy very seriously. We will only disclose your health information in accordance with the HIA, applicable laws and regulations. If you have any questions or concerns about our disclosure procedures, please do not hesitate to contact us.

 

How do we classify information?

Our organization is committed to protecting the confidentiality, integrity, and availability of personal health information in accordance with the Health Information Act (HIA) and other applicable legislation and professional standards. To achieve this, we classify health information based on its sensitivity and use this classification to determine the most appropriate level of security.

Health information is classified into one of three levels of sensitivity based on the degree of potential harm or damage that could result from unauthorized access, use, or disclosure:

 

Level 1 - Low sensitivity: Health information that, if compromised, would result in little to no harm or damage. Examples include basic demographic information, such as name and address, and information related to routine medical procedures.

Level 2 - Medium sensitivity: Health information that, if compromised, could result in some harm or damage. Examples include mental health information, addiction-related information, and information related to infectious diseases.

Level 3 - High sensitivity: Health information that, if compromised, could result in significant harm or damage. Examples include genetic information, HIV status, and information related to mental health or substance use disorders.

Once health information has been classified, we use this classification to determine the most appropriate level of security. This includes implementing administrative, technical, and physical safeguards that are commensurate with the sensitivity of the information and the risks associated with its collection, use, disclosure, and retention.

Our organization's Privacy Officer is responsible for overseeing the classification of health information and ensuring that appropriate security measures are in place. We are committed to protecting the privacy and confidentiality of personal health information and ensuring that it is handled in a manner that is consistent with legislative requirements.

 

How do we handle research requests?

At Shift Physiotherapy & Wellness, we recognize the importance of protecting the privacy and confidentiality of our clients' health information. We also understand the value of research in advancing medical knowledge and improving healthcare outcomes. This privacy policy clause outlines our procedures for handling research requests and agreements with researchers under Sections 48-56 of the Health Information Act (HIA).

Approval Process for Research Requests:

All research requests must be submitted to Shift Physiotherapy & Wellness’ privacy officer for review and approval. The privacy officer will consult with independent experts in the field of medical research, and they will review the request to ensure that it meets ethical and legal 

 

standards for the use of health information. The privacy officer will also evaluate the potential risks and benefits of the research and consider any privacy concerns that may arise.

Agreements with Researchers:

Before we disclose any health information to a researcher, we require them to sign a written agreement that outlines the conditions under which they will access and use the information. This agreement will include provisions to ensure the confidentiality and security of the information, and it will require the researcher to comply with all applicable laws and regulations. The agreement will also specify the purposes for which the information will be used and will prohibit any further use or disclosure of the information without our express consent.

In cases where the research is being conducted by an external organization or institution, we will enter into a formal agreement with that organization or institution to ensure that they are bound by the same confidentiality and security requirements as our own employees.

We take our responsibility to protect the privacy and confidentiality of our clients' health information very seriously, and we will only disclose information for research purposes when we have obtained the necessary approvals and agreements. If you have any questions or concerns about our research procedures, please do not hesitate to contact our Privacy Officer.

 

How do we ensure that third parties, which include contractors and information managers, protect your health information?

At Shift Physiotherapy & Wellness, protecting your health information is of utmost importance. We understand that third-party contractors and information managers may have access to your personal information in the course of their work. We have implemented the following measures to ensure that third-party contractors and information managers protect your health information:

Privacy Requirements for Third-Parties:

We require that all third-party contractors and information managers sign a confidentiality agreement before they are granted access to your health information. This agreement outlines their responsibility to protect your health information and to comply with all applicable privacy laws and regulations.

Review of Third-Party Compliance:

We regularly review third-party compliance with our privacy requirements to ensure that they are protecting your health information in accordance with our policies. If a third-party contractor or information manager is found to be non-compliant with our privacy requirements, we take immediate action to address the issue.

Requirements for Out-of-Province Information Managers:

We understand that some third-party information managers may be located outside of the province. In these cases, we require that the information manager complies with all applicable privacy laws and regulations in their jurisdiction, as well as our privacy requirements.

 

How often are Privacy Impact Assessments conducted?

Under Section 64 of the Health Information Act (HIA), a custodian is required to prepare a PIA any time there are new, or if there are changes to, existing administrative practices or information systems relating to the collection, use or disclosure of individually identifying health information. Our organization's Privacy Officer is responsible for ensuring our appointed custodian conducts PIAs and ensuring compliance with the HIA. PIAs are reviewed annually by our appointed custodian or whenever there is a significant change to our organization's information management practices or technologies.

 

What are our policies for record retention and disposition? 

Our organization is committed to maintaining the confidentiality, privacy, and security of personal health information in accordance with the HIA. We keep records containing health 

 

information for as long as necessary to fulfill the purposes for which they were collected, and as required by law or professional standards.

We follow the records retention and disposition schedules recommended by the Alberta Health Records Act (HRA), the HIA, and other applicable legislation and professional standards. These schedules provide guidance on the minimum retention periods for different types of health information, as well as the disposition requirements when records are no longer needed. According to the Health Information Act, currently Shift Physiotherapy & Wellness is required to retain diagnostic and treatment records for 10 years after the date of discharge, or 2 years after the patient reaches or would have reached the age of 18, whichever is longer. 

Once records containing health information are no longer needed, we ensure that they are securely disposed of in accordance with our organization's policies and procedures, as well as applicable legislation and professional standards. This includes the use of appropriate security measures such as shredding, burning, or secure electronic deletion to prevent unauthorized access, use, or disclosure of personal health information.

Our organization's Privacy Officer is responsible for overseeing the secure disposal of health information and ensuring compliance with the HIA and other applicable legislation and professional standards. We are committed to protecting the privacy and confidentiality of personal health information and ensuring that it is handled in a manner that is consistent with legislative requirements.

 

Where do we store your information?

Personal health information is stored on our third party service provider Jane App. We chose this system partly for their commitment to security. Their privacy policy can be found here: https://jane.app/privacy. 

We store electronic records on secured hardware, use antivirus software and passwords on all computers and take care to protect screen monitors from public viewing. Electronic information is transferred in secure files and made anonymous wherever possible.  We do not share your personal information outside our office for any marketing, promotional, publicity, educational, or research purposes without your consent.  We train staff to handle your information only through the protected measures outlined in our privacy procedures. If consultants or contractors are hired, we take steps to ensure the consultant or contractor also protects your privacy.

 

How do we safeguard personal information?

We understand that the safeguarding of personal information in a health care environment is extremely important. Jane App stores and utilizes personal information on servers that satisfy HIPAA compliance, and access to that information is secured by industry standard password requirements and 2FA (Two Factor Authentication). Where third party services are used, separate agreements ensuring the safety of your information have been transacted. Owners of the company are granted full access to personal information, and employees/contractors are only granted the information that is required to fulfill their responsibilities. We also train our staff/contractors to handle your information through the measures outlined in our privacy policy.

 

How do we conduct risk assessments?

Shift Physiotherapy & Wellness is committed to protecting the privacy and confidentiality of personal health information in accordance with the Health Information Act (HIA) and other applicable legislation and professional standards. To ensure the effectiveness of our privacy policies and practices, we conduct periodic risk assessments.

These risk assessments are designed to identify potential threats, vulnerabilities, and risks to the privacy and confidentiality of personal health information, as well as the effectiveness of our existing privacy policies and practices. The risk assessments consider factors such as the nature and sensitivity of the information we collect, use, disclose, and retain, as well as the administrative, technical, and physical safeguards we have in place to protect it.

Based on the results of the risk assessments, we update our privacy policies and practices as necessary to address any identified risks and ensure ongoing compliance with legislative requirements and professional standards. We also provide training and education to our workforce on any updates to our privacy policies and practices.

Our organization's Privacy Officer is responsible for overseeing the risk assessment process and ensuring that appropriate actions are taken to address any identified risks. We are committed to continuously improving our privacy policies and practices to protect the privacy and confidentiality of personal health information.

 

What do we do to ensure physical security of data and equipment?

Our organization is committed to protecting the privacy and confidentiality of personal health information in accordance with the Health Information Act (HIA) and other applicable legislation and professional standards. To achieve this, we have implemented physical and administrative safeguards to secure health information in both paper and electronic form.

Physical safeguards:

We secure our workspaces by limiting access to authorized personnel only and locking our offices and file cabinets when not in use.

We ensure that computers, fax machines, copiers, and other office equipment are located in secure areas and that they are password-protected.

We use a privacy function on our charting software to prevent unauthorized individuals from viewing health information displayed on computer monitors.

We ensure that mobile equipment, such as notebook computers and mobile data storage devices, are physically secured when not in use and that they are password-protected.

Administrative safeguards:

We limit access to health information to authorized personnel only, and we ensure that our workforce members are trained on our policies and procedures related to the protection of personal health information.

We regularly update our office computer security software to protect against unauthorized access, viruses, and malware.

We use strong passwords and change them periodically to prevent unauthorized access.

We use secure methods for disposing of paper records containing health information, such as shredding, and we ensure that electronic records are securely deleted or destroyed when no longer needed.

 

What do we do to ensure business continuity?

Shift Physiotherapy & Wellness recognizes the importance of ensuring that personal health information is available when needed, and has implemented measures to ensure the availability, integrity, and confidentiality of personal health information.

Data backup:

Our organization uses the Jane App charting software. Jane uses mirrored database servers (which act as real-time backups) so in the unlikely event that something happens in the data center, Jane can flip over immediately to use the other database server. Jane also performs nightly off-site backups, just as an additional precautionary measure. 

Disaster recovery:

Our organization has a disaster recovery plan in place that is regularly reviewed and updated to reflect changes in technology, business needs, and regulatory requirements.

The disaster recovery plan includes procedures for restoring critical systems and applications, as well as procedures for restoring personal health information from backups.

Jane App data is stored in a secure facility, complete with the latest security, authorization, and surveillance technologies. Jane App data center is, at minimum, SOC 2 audit and compliant. Jane's data is also backed up nightly to an offsite location in Quebec. Our data centers all do annual SOC2 compliance audits and reports. 

As well, for disaster recovery, Amazon Web Services (AWS) provides at least 2 geographically separated data centers, and our backups are stored across all the data centers so that even if one goes down, the data could be retrieved from the other.

AWS data centers are in the Montreal area for our Canadian customers. Data resides on Canadian soil

Business needs:

Our data backup and disaster recovery plans are based on our business needs and the criticality of personal health information to the ongoing operations of our organization.

We regularly review our business needs and the criticality of personal health information to ensure that our data backup and disaster recovery plans are appropriate and effective.

 

What do we do for network and communications security?

Shift Physiotherapy & Wellness has implemented measures to secure our network and communications infrastructure.

Malware (anti-virus) protection:

We use anti-virus software to protect our computer systems and network from viruses, malware, and other types of malicious software.

We ensure that our anti-virus software is up-to-date and that it is configured to scan all incoming and outgoing data.

Firewalls:

We use firewalls to control and monitor incoming and outgoing network traffic. The Cisco Meraki MX67 network security appliance has an extensive suite of security features, including IDS/IPS, content filtering, web search filtering, anti-malware, geo-IP-based firewalling, IPsec VPN connectivity, and Cisco Advanced Malware Protection, while providing the performance required for modern, bandwidth-intensive networks

We configure our firewalls to restrict unauthorized access to our network and to block unauthorized attempts to access personal health information.

Intrusion detection systems:

We have enabled both intrusion detection/prevention systems and advanced malware protection on our firewall to monitor our network for unauthorized access and suspicious activity. 

We configure our intrusion detection systems to alert us in the event of a security breach or attempted breach.

Our charting software, Jane App, has enabled AW’s security features like intrusion protection system and web application firewall. 

Encryption:

We use encryption to protect personal health information when it is transmitted over public networks, such as the internet.

We use secure encryption protocols, such as Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP), to ensure that personal health information is protected during transmission.

Data that passes through our charting software, Jane App, is encrypted, both at transit and at rest. Jane App also encrypts all volumes where customer data is stored, and we also individually encrypt all backups. Data in transit is encrypted using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM and at rest using AES 256 encryption.

 

What do we have in place for access controls?

At Shift Physiotherapy & Wellness we have implemented measures to ensure that only authorized users have access to personal health information.

Identification and verification:

We assign unique usernames and passwords to each authorized user of our health information system.

We require users to create strong passwords.

We always suggest to our staff that they use multi-factor authentication, such as tokens, to verify their identity when accessing personal health information.

Deciding what information users need to access:

We limit access to personal health information based on the user's job responsibilities and the minimum amount of information necessary to perform their job duties.

We review and update user access permissions regularly to ensure that users only have access to the information they need to perform their job duties.

Making changes when users change positions or leave:

We have a process in place to remove access to personal health information when a user changes positions or leaves our organization.

We require users to notify us immediately if they suspect that their username or password has been compromised.

 

What policy do we have in place for change controls?

Shift Physiotherapy & Wellness has implemented the following measures to ensure that changes to our systems do not adversely affect the confidentiality, integrity, or availability of personal health information:

Change Management:

Our organization has a change management process in place to ensure that all changes to systems, software, and hardware are properly evaluated, tested, and approved before implementation.

Our change management process includes a risk assessment to determine the potential impact of the change on the confidentiality, integrity, or availability of personal health information.

Changes that have the potential to adversely affect the confidentiality, integrity, or availability of personal health information are subject to additional review and approval.

Testing:

All changes to systems, software, and hardware are tested thoroughly before implementation to ensure that they do not adversely affect the confidentiality, integrity, or availability of personal health information.

Monitoring:

Our organization monitors our systems, software, and hardware on an ongoing basis to ensure that they are operating correctly and that personal health information remains confidential, intact, and available.

 

What if there is a security breach?

We will, without delay, notify the Office of the Information and Privacy Commissioner of Alberta as well as affected clients of a security breach involving personal information. The Privacy Officer will handle these situations if they arise.

At Shift Physiotherapy & Wellness, we take privacy and security breaches very seriously. We have established a comprehensive framework for responding to such incidents to minimize any potential harm or impact on our customers or users.

Privacy and security breaches can fall under different categories, including unauthorized access or disclosure of personal information, data breaches, hacking attempts, and others. We have implemented appropriate technical and administrative safeguards to prevent such incidents from occurring, but in the event of a breach, we will take the necessary steps to investigate and mitigate the issue promptly.

Our response to privacy and security breaches includes appropriate sanctions for individuals who are found to have violated our privacy policies or applicable laws and regulations. Depending on the severity and nature of the breach, sanctions may include disciplinary action, further training, termination of employment or contract, legal action, or other appropriate measures.

We also take steps to notify affected individuals and regulatory authorities, where applicable, in the event of a privacy or security breach. This includes providing clear and transparent communication about the nature and extent of the breach, the steps we are taking to address it, and any actions affected individuals can take to protect themselves.

 

What if I have questions or concerns regarding privacy or security?

If you have a question or concern about any collection, use or disclosure of personal information by Shift Physiotherapy & Wellness, or about a request for access to your own personal information, please contact Kristen Redhead, Privacy Officer/Security Officer at info@shiftptwellness.com

 

If you are not satisfied with the response you receive, you should contact the Information and Privacy Commissioner of Alberta:

Office of the Information and Privacy Commissioner of Alberta

Suite 2460, 801 - 6 Avenue, SW Calgary, Alberta T2P 3W2

Phone: 403-297-2728 Toll Free: 1-888-878-4044

E-mail: generalinfo@oipc.ab.ca Website: www.oipc.ab.ca