PATIENT PRIVACY AGREEMENT
Effective Date: November 4, 2019
Privacy is a cornerstone of our business and the services we offer. We therefore take our obligations related to personal information, personal health information and health records very seriously.
The present Patient Privacy Agreement binds 8336083 Canada Inc. doing business as Wink Technologies Inc. (hereinafter referred to as the ‘Corporation’) as well as any User as defined herein.
The present Patient Privacy Agreement is an integral part of the Terms of Use of the Corporation’s software. All Users who agree to our Terms of Use are therefore bound to adhere to the principles in the present Patient Privacy Agreement.
The Corporation reserves the right to, from time to time, update or modify the present Patient Privacy Agreement to accommodate any improvements and enhancements made to its services or software.
Interpretation
For the purposes of the present Patient Privacy Agreement, the words below shall have the following meaning:
Patient (or individual patient) – any individual who receives or has received, or purchases or has purchased products or services from the User or any of its affiliates, and whose information is held by the User for that reason.
Personal information – information which relates or concerns an identifiable individual or through which there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information.
Personal health information – refers to any information concerning the physical or mental health of an individual, any health service they have received or any information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual. This includes any and all information that is collected in the course of providing health services to the individual or information that is collected incidentally to the provision of health services to the individual.
User – refers to all optical stores that have agreed to the Terms of Use and are legally using the Corporation’s software who are bound by our Terms of Use, and includes all of their employees, agents, authorized individuals, optometrists and opticians related thereto.
Our Legal Obligations
In line with the application of the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA) and with the Act Respecting the Protection of Personal Information in the Private Sector of Quebec, the stipulations below detail the Corporation’s obligations under the law and the patients’ rights regarding the confidentiality, access and protection of their personal and personal health information.
As a Canadian company, the Corporation is bound to a strict adherence to the obligations under PIPEDA to respect and protect the information in its possession. By agreeing to the Corporation’s Terms of Use and using the software, the User agrees that all protection of privacy shall be governed by Canadian law.
Chief Privacy Officer
The Corporation has designated Mr. Ted Harrar, Vice President, as the Corporation’s Chief Privacy Officer.
The Chief Privacy Officer oversees all the activities related to the development, implementation, maintenance and adherence to the Corporation’s privacy policies and procedures. These policies cover the collection, use, disclosure and privacy of personal information in compliance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable legislation.
The responsibilities of the Chief Privacy Officer include but are not limited to:
- Ensuring compliance with the Ten Principles outlined in PIPEDA and applicable legislation for the protection of personal information;
- Responding to requests for access to and correction of personal information and general issues concerning personal information;
- Working with the offices of government commissioners during the investigation of a privacy complaint against the organization;
- Developing and implementing privacy policies and procedures;
- Developing and creating appropriate privacy confidentiality consent forms, authorization forms, and information notices and materials reflecting current organization and legal practices and requirements;
- Creating and delivering educational, training and orientation programs for all employees, volunteers, and other appropriate third parties;
- Conducting privacy risk assessments and audits;
- Monitoring systems development and operations for security and privacy compliance;
- Ensuring compliance related to privacy, security and confidentiality;
- Providing counsel relating to business contracts and partnerships;
- Establishing and administering a process for receiving, documenting, and tracking all complaints concerning personal information;
- Maintaining current knowledge of privacy legislation and regulations; and
- Managing public perception of data protection and privacy practices for the organization.
The Information Collected
The Personal Information collected is strictly limited to the information necessary for the purposes of executing the Corporation’s obligations both in virtue of its Software, any of its applications and the services it provides the User as defined in the Terms of Use. These services include but are not limited to the following: management of all appointments including contacting the individual patient to remind them of an upcoming appointment, general business management solutions including but not being limited to the tracking of shipments, inventory, accounting, interfacing with laboratory machines and providing the User and consequently the individual patient with a complete and protected electronic health record.
As such, only information necessary to better serve the needs of the User’s individual patients and contacting the patients regarding upcoming appointments and promotions (subject to the individual patient’s consent) will be collected, retained and used by the Corporation. Such information may be the following: name, address, telephone number and medical care card number or other identifier related to public or private insurance coverage or copies thereof where required, email address and date of birth of the patient as well as prescription and health information and information regarding the products and services they have purchased from the User in the past. Information regarding appointment history and upcoming appointments will also be collected, retained and used by the Corporation.
In the course of the services being offered, the Corporation may also store and collect the image of the individual patient along with facial dimensions and measurements through its PhotoBooth Application. The purpose of the Corporation’s PhotoBooth Application is to facilitate the selection and purchase of eyeglasses for the individual patient and to process orders. The images will not be used for any other purpose.
The strict limitation on the information collected is applied to both the type of information and the amount of information collected for these purposes.
Consent
Due to the sensitive nature of some of the personal identifying information and personal health information, the obligation of obtaining the consent of the patient to the disclosure of this information lies solely upon the User of the Software. Such consent must, by law, be free and enlightened, cannot be sought in a deceptive manner and cannot be implied. Upon requesting consent, the individual patient must be made aware of the use and disclosure that will be made of their personal information and personal health information, what the purpose of the use and disclosure will be and to whom it will be made available. Due to the fact that the Corporation is legally obligated to only collect the information that is necessary for the purposes for which it is sought, the individual patient will also need to be informed of the type of personal information that will be disclosed, used and retained.
To satisfy its obligations under the law, the Corporation requests that, at the time of seeking consent, the patient must be read or shown statements substantially similar to the statements below and including all of the following information:
I hereby understand that (NAME OF THE USER) , may be required to share my personal health information and record with government authorities, public or private health care or insurance providers, ophthalmic labs and some other third parties only on an “as needed” basis or as required by law;
I hereby understand and agree that my information may be stored locally on a server of (NAME OF THE USER), but will also be stored off-site in a secure location for purposes of data back-up and practice management by the Corporation;
I hereby agree to be contacted personally by (NAME OF THE USER) or on behalf thereof by the Corporation in order to receive
appointment reminders and order confirmations;
and
I hereby agree to be contacted personally by (NAME OF THE USER) or on behalf thereof by the Corporation in order to receive information regarding offers, promotions and exclusive sales tailored specifically to my optical needs.
Before any personal health information can be used by the Corporation, the patient must have consented to the use, disclosure and/or retention as described in the statements above. the Corporation will only use the information of and contact the patient who has consented thereto. It is the sole responsibility of the User to ensure that consent of the individual patient is obtained clearly and correctly within the scope of the legal requirements and as such is solely liable for any and all damages or injury resulting from a breach of confidentiality or infringement of privacy.
In the event that the individual patient is a minor, consent to be contacted regarding upcoming appointments will be sought by the parent, legal guardian or representative that is authorized to grant such consent by law. If the individual patient is adult incapable of giving his/her consent, consent shall be sought by the legal guardian or representative that is authorized to grant such consent by law. It would therefore be the parent, legal guardian or representative who will be contacted by the Corporation in lieu of the minor or incapable adult.
The individual patient may withdraw their consent to the disclosure of their personal or personal health information from the User and the use or retention by the Corporation of this information at any time subject to legal or contractual restrictions and providing reasonable notice. The Corporation will be bound to cease any and all communication with the individual patient within a reasonable time of being informed in writing of the withdrawal of such consent by the optical store or by the individual patient.
Use, Retention and Disclosure
The personal information and/or personal health information which is transferred to the Corporation in virtue of the Terms of Use and for the execution of its obligations thereunder will not be used for any purposes other than those specified therein and as described in the present Patient Privacy Agreement and in the Corporation’s Terms of Use. In order to fulfil its obligations under the Terms of Use and to provide the services contracted for by the User, the Corporation may be required to disclose personal information or personal health information of the individual patient with third parties. Where possible, the Corporation will make all reasonable efforts to anonymize the personal information or personal health information that is being disclosed to third parties or send data that has been fully anonymized and thus no longer subject to the protection of privacy legislation.
Any personal information or personal health information that is no longer required for the specified purposes in the Terms of Use or following the express withdrawal of consent by the individual patient, will be destroyed or rendered fully anonymous and retained by the Corporation.
It is the sole obligation of the User to ensure that the individual patient is informed of and explicitly consents to such use, disclosure and retention.
Individual Access & Rectification
According to applicable law, the individual patient has a right to request access and rectification of the personal information or personal health information the User and the Corporation possess. It is the obligation of the User to ensure that all information be accurate, complete and up to date. All requests to access and rectification will be dealt with in the manner prescribed by law.
Safeguards
The Corporation has safeguards in place to protect all patient information in its possession that is transferred to its servers from the User’s servers. The User’s communication to the Corporation’s servers is encrypted using SSL and all of the User’s interaction with the database is logged. Furthermore, all interaction with the database is restricted by the User’s system administrator. As such, only the individuals who require access to the patient’s information for the execution of their functions will have access to the database. The hard drives of all servers are also encrypted to ensure the security thereof.
Given the Corporation’s priority of protection the personal information and personal health information it possesses, all employees and agents of the Corporation understand and adhere to the present Privacy Agreement. The safeguards the Corporation has put in place include a log of all modifications made to the patient information which allows the Corporation to revert back to any previous version of the patient’s information and allows for better protection of the information from unauthorized access, use or disclosure as well as unauthorized tampering in order to ensure both the confidentiality and integrity of the information it holds.
For more information, please contact the Corporation at Privacy@Downloadwink.com