PRIVACY POLICY

In adopting and adhering to this Policy, we assure you that the personal information we collect will be used in an appropriate and responsible manner. CHSINC is committed to protecting the privacy of all personal information which has been provided to us and we will manage personal information in accordance with applicable Canadian privacy legislation and any other applicable provincial or federal legislation.
This Policy applies to the personal information collected through the Services by CHSINC. This includes personal information collected, used, processed and disclosed through:
• CHSINC’s Solutions
• CHSINC’s Sites, as well as our social media, such as Facebook, Twitter, YouTube and LinkedIn
• Correspondence from individuals about our Sites, the Solutions and/or the Services (including e-mails, messages sent to us through the Sites, telephone calls to our call centres)
• Providing support for our Services
• Online job applications

In this Policy, “personal information” means information about an identifiable individual, including personal health information about that individual. “Personal health information” means identifying information that relates to an individual’s health, including diagnostic, treatment and care information, and information like the individual’s personal health number.

CHSINC provides software solutions for healthcare providers and patients. In the course of using our Solutions, healthcare providers will collect, use and/or disclose personal information about their patients, including personal health information.In the provision of our Solutions, CHSINC manages (and in some cases hosts) personal information on behalf of healthcare providers, who remain the custodians of that personal health information.

This Policy is not about the collection, use, and/or disclosure of personal information by healthcare providers. If you would like to know more about how your healthcare provider handles your personal information, you should ask them about their policies and practices. To learn more about the types of personal information which your healthcare provider may collect from you while using the Solutions, click on the Personal Information Collected by Healthcare Providers Using the Solutions section below.

CHSINC’s Solutions provide healthcare providers with a platform to collect, use, process, store, and disclose patients’ personal information. Below, we have described what types of personal information are collected by healthcare providers (including physicians, pharmacists and their administrative staff) using each solution.EMR Advantage

EMR Advantage allows for the collection, use and disclosure of the following types of personal information by healthcare providers:

• Name
• Address
• Contact information, including phone number and e-mail address
• Demographic information, such as languages spoken, occupation, age, gender, and dependent information
• Personal health number
• Personal health information, including:
  • Visits to your healthcare provider (e.g. date of service, healthcare provider, visit type, visit reason, referring provider, payment information); and
  • Health information recorded by health care providers and their staff in the course of providing treatment (e.g. conditions, diagnoses, medications, diagnostic imaging, lab observations, immunizations, treatments, referrals, clinical observations, surgical history and consultations).

Medeo

Medeo allows for the storage of the following types of personal information by users, and for the collection, use and disclosure of the following types of personal information by healthcare providers and caregivers:

• Name and other demographic information
• Appointment dates (for in clinic and virtual visits)
• Medical conditions
• Reason(s) for visit
• Encounter notes
• Prescription information
• Lab requisitions
• Care plans
• Messages between healthcare providers and patients

Medeo includes an option to add premium features through a Medeo Plus subscription.

If the healthcare provider also has EMR Advantage, certain personal information can be shared between EMR Advantage and Medeo by the provider (e.g. appointment information and personal health information).

FreedomRx

FreedomRx allows for the collection, use and disclosure of the following types of personal information by health care providers and pharmacies:

• Name
• Address
• Telephone number
• Date of birth
• Gender
• Personal health number
• Medication information
• Health information such as allergies
• Messages between prescribers and pharmacists
• HealthMail Address
• Identifying information about the healthcare provider and clinic

Your healthcare provider will share pertinent information with the pharmacy indicated by the healthcare provider or selected by you in the course of providing treatment. FreedomRx is being used by many independent pharmacies, Shoppers Drug Mart and Loblaw Pharmacies.

CHSINC also uses third party partners to provide additional functionality to our Solutions. See the section Partners in Providing Specialized Service below for a description of these partners and services.

CHSINC also collects personal information from and about individuals in a variety of ways, including: when it is provided directly; and when individuals interact with us and use the Sites, Solutions, and/or the Services.We use personal information to provide our products, Services and Solutions, to manage our business relationship, to communicate offers and information, to measure the effectiveness our Services, including marketing and promotions about our Services, and as permitted or required by law.

CHSINC collects certain personal information from our clients and their staff in the course of managing our business relationship. For example, we collect the names and authentication information of our clients’ staff so they have unique log in credentials to use the Solutions in accordance with our License and Services Agreements with clients. For user verification and security purposes, we also collect information like IP address and browser type for use in conjunction with authentication information. We also collect personal information about our clients’ staff when providing them with Services like training or support on our Solutions.

Personal Information You Provide to CHSINC

We collect information that you provide directly to CHSINC, over the telephone, by e-mail, as well as through the use of the Sites and the Solutions. This includes your contact information, account and profile information associated with the Solutions, limited personal health information, appointment information, feedback, ratings, reviews, job application information, social media information, and call centre information. Click on the headings below to learn more about the purposes for collecting this information.

• Contact information:

We collect your personal information when you contact CHSINC to directly to inquire about Sites, the Solutions, and/or the Services. For example, when you complete any of the contact or inquiry forms on our Sites, we will collect your name, phone number, e-mail address, city, province, postal code, and any other information that you choose to provide to us. When you send customer support a message on one of our Sites, we collect your name, e-mail address, phone number, and any other information that you choose to provide to us. When you report a problem, or submit questions, concerns or comments regarding the Solutions, we may also collect your name, e-mail address, phone number, and other information that you choose to provide to us.

We use your contact information to contact and correspond with you directly about our relationship, and your use of the Sites, Solutions and/or Services. We may contact you to inform you about our services in different ways including by mail, email, telephone, or other means to which you have agreed. We may use your contact information to provide you with information, quote, or services that you have requested, to respond to customer service requests, and where we have your consent to do so, to send you push notifications on your device through the Solutions.

Where permitted and we have your consent to do so, we may send you information about CHSINC’s services, including general updates and announcements, contests, promotions relating to the care, seminars, workshops and events (see below for information on how to “opt-out” of receiving certain communications from us).

• Account and profile information:CHSINC collects personal information from patients when they register for an account with Medeo, typically after downloading the application, and when patients create or modify their account or user profile. This includes information such as:
  • Name
  • Address
  • Birthdate
  • E-mail address
  • Phone number
  • Username and password

We use your account and profile information to set up provide you with access to the Solutions and/or Services, to create and set up your account and user profile, and to administer your use of the Sites, Solutions and/or Services. We also use your account and profile information to connect you with a healthcare provider or patient, as applicable.

• Feedback, Ratings and Reviews:

We collect the information you include in any feedback you provide to CHSINC through the Sites, Solutions, or when you e-mail or call our customer service. We use feedback, rating and review information to improve the Sites, Solutions, and/or Services, including to administer and resolve technical issues on the Sites or Solutions. We may also use this information to investigate and address your concerns. In addition, we may use this information to suspend or deactivate the user accounts, and to assist in training our employees and service providers.

• Job application information:

We use a third-party service provider, ADP, to host the online careers page on the CHSINC website, and to manage job applications submitted through the website. In order to apply for a position listed on our careers page, you will be redirected to ADP’s website where you can submit an application for the posted position. As part of the application process, you will be asked to submit personal information such as your name, e-mail address, mailing address, phone number, and resume. This personal information is collected directly by ADP on behalf of CHSINC. We use this information to evaluate an applicant’s eligibility and suitability for employment with CHSINC. To learn more about ADP’s privacy practices, please see its privacy policy for client employees at https://privacy.adp.com/privacy.html?locale=en_CA.

• Social media information:

When you visit one of our social media sites (e.g. LinkedIn, Facebook, YouTube, Twitter), we may collect personal information that you choose to submit to us such as your name, contact information, or any other information you choose to provide. We use this information for the purpose of responding to an enquiry you have made to us through social media.

• Call centre information:

When you call one of our call centres (e.g. to request customer support for one of our Solutions or to request a quote), those telephone calls may be recorded and we may collect personal information that you may provide during those calls, such as your name, telephone number, and e-mail address. We use this information for the purposes of providing you with any information that you request (e.g. a quote) and for providing you with customer support for our Solutions

• Other information:

We collect any other personal information that you submit directly to CHSINC on a voluntary basis. For example, we will collect and use information like name, clinic name, address, phone number, email and products of interest when you enter a contest or promotion.

Information Provided by Your Healthcare Provider to CHSINC

Generally, CHSINC will collect personal information directly from the person to whom the personal information relates. However, given the nature of the Solutions, CHSINC will sometimes receive personal information about you from your healthcare provider.

All users of our Solutions, including healthcare providers and their administrative staff, must have a unique login to access and use EMR Advantage, Medeo and FreedomRx. As a result, CHSINC clients will provide CHSINC with the certain identifying information to enable CHSINC to set up and manage accounts and user profiles for client staff to access and use the Solutions.

• For EMR Advantage, this includes: Name, e-mail, phone number, college registration number, demographic information, and security/PIN information.
• For Medeo, this includes; Name, e-mail, phone number, occupation and specialization, and password.
• For FreedomRx, this includes: name, username and e-mail.

To set up a healthcare provider with EMR Advantage, the healthcare provider may provide CHSINC with a copy of their patient database to be imported into the EMR Advantage solution. This will include all personal information in their patient files which the provider wants to digitize in the solution. When setting up pharmacies with FreedomRX, the pharmacy will provide CHSINC with the names of pharmacists and their email addresses.

CHSINC may also receive personal information about you from a client when a client initiates a request for service or support. To provide this service, we may require access to an electronic file or data set, which may include your personal information.

If you have concerns about personal information that has been provided to CHSINC by your employer or your healthcare provider, you should address that concern directly with your employer/healthcare provider. CHSINC will reasonably assist its clients in answering questions that individual users may have about their accounts.

Information Automatically Collected When Using the Websites, Social Media, or the Solutions

CHSINC uses various technologies which automatically collect certain information. These technologies include cookies and analytics technology. The information we collect includes device, technical and usage information, geolocation information, and video call and messaging information. Review the sections below to learn more about each type of automatic collection of information by CHSINC.

• Device, technical and usage information:

We collect your IP address, web browser type, and operating system when accessing our Sites and Solutions. We also collect information about the sections of the Sites and Solutions that you visit, the date and time of your use of the Sites and Solutions, your in-media time, your actions within the Sites and Solutions, crashes and other system activity on the Sites and Solutions, and certain content that you download from the Sites and Solutions. We use device information to understand traffic and activity on the Sites and the Solutions, to audit use of the Solutions for licensing purposes as well as for license modeling, to enable us to improve the Sites, the Solutions and/or the Services, to understand what drives traffic to our Sites, to understand interest in our Services, and to tailor our marketing. For example, this information helps us understand whether a Solution is compatible with your mobile device. CHSINC also reviews Solution usage information to measure adoption, engagement, and improve the product and services.

• Video visits:

To facilitate video visits through Medeo, we use third party service providers, for services such as STUN and TURN to facilitate video calls between healthcare providers and patients who are using Medeo. The third-party service provider may collect personal information about these calls, including the date and time of the call and customer IP addresses to facilitate the video visit. The contents of video streams cannot be viewed by our third-party service providers.

• Messaging:

Messaging though Medeo is facilitated by embedded communication APIs, such as Twilio for SMS and SendGrid for email. Messaging through HealthMail is all conducted through our Solutions directly.

• Web analytics:

We want to learn more about how our customers and prospects interact with our Sites and Services so we can improve existing products and services, develop new products, services, programs, promotions, contests or events, and better understand how to communicate with you. Personal health information is not shared for web analytics or marketing purposes.

• Cookies and Analytics:

CHSINC uses third party analytics tools, such as Google Analytics and Pardot. These analytics services track certain activities on our Site by setting cookies in your browser. Cookies remember preferences when a visitor returns to the Site. They can also be used for logged-in users to maintain the session and remember the user. These cookies don’t collect personally identifying information, only a unique identifier. Google analytics uses cookies to track certain usage information on the Sites, to create reports for CHSINC about activities of viewers. Such information may include aggregated information about the devices, networks, general geolocation, page visits, duration of visits and click through information of visitors to our Site and Solutions. This data is used for aggregate reporting purposes. To learn more about Google’s privacy practices, including how you can view and edit your preferences, please see the Google Privacy Policy.

• Visitor preferences.

If you have provided your contact information on one of the sign-up forms on our Sites, or have been added to our Salesforce database, analytics services like Pardot will connect your activity on our Sites with your account in our Salesforce database. Visitors to the Sites will receive a message that asks them to opt in on their first visit. The message doesn’t appear again unless you clear your cookies. You may opt out of tracking, in which case Pardot treats the session as if cookies are disabled. You may opt-out at any time by clearing your cookies, which will cause the opt-in message to reappear when you visit the Site, allowing you to opt-out. Visitors who do not opt-in are treated as if they have opted out. In the event you opt-in, Pardot will set cookies on your browser which will remember preferences (like form field values), maintain the session and remember table filters when you return to the Site. Pardot will also provide us with reports about the types of activities in which you engage on our Site, so we can better understand your use and interest in our Site and Services, and provide you with information we think may be of interest or assistance to you.

Business and Legal Uses of Personal Information by CHSINC

In addition to the purposes listed above, in general, CHSINC may also use the personal information we collect about you to:

• conduct data analysis, testing, and monitor and analyze usage and activity trends;
• ensure compliance with and identify violations of the applicable Terms of Service;
• enforce our rights arising from any contracts between you and us;
• enforce billing and collections;
• identify and prevent fraudulent activity and to protect security of the Sites and Solutions;
• meet legal and regulatory requirements; and
• facilitate such other services and activities, as we may identify to you at the time.

CHSINC will only use your personal information for the purpose for which it was originally collected, or for a use consistent with that purpose, unless you expressly consent or it is permitted or required by law.

There are various ways you may consent to the collection, use and disclosure of your personal information processed through our Solutions on behalf of your healthcare provider and the Services provided by CHSINC. Typically, you will voluntarily give information to your healthcare provider or will otherwise provide your consent to them. You should raise any questions you have about consent you have given your healthcare provider directly with them.As described above, there are some instances in which individuals provide personal information to CHSINC. If you install any of the Solutions, enter into a License and Services Agreement, create an account to use one of our Solutions, or use the Sites, Solutions or Services, you acknowledge the notices in this Policy and you consent to CHSINC collection, use, disclosure, and retention of your personal information in accordance with this Policy and as otherwise permitted by law. You may withdraw your consent at any time by giving CHSINC reasonable notice, but consent may not be withdrawn where doing so would frustrate performance of a legal obligation.

In some cases, CHSINC may seek your consent for the use and disclosure of your personal information after it has been collected, but before it has been used or disclosed (e.g. where we want to use your personal information for a purpose not previously identified to you). We will not use or disclose your personal information for any new purpose without first identifying the new purpose and providing notice to you or obtaining your consent (as applicable), unless otherwise permitted by law. You can always choose not to provide CHSINC with certain requested personal information, but then you may not be able to access or utilize all or part of the Sites, the Solutions and/or the Services.

We may share your personal information within our group of companies, or with our service providers and other third parties for the purposes described below and in accordance with applicable laws.CHSINC does not share any of your health information with any advertisers or related companies. Except as described in this Policy or in other situations where we have provided you with prior notice, have obtained your consent, or are obligated or permitted by law, CHSINC will not share your personal information with third parties. Please note that third party companies are not governed by this Policy and may have their own privacy policies and practices regarding personal information.

Sale or Transfer of the Business

CHSINC may decide to sell or transfer all or part of our business to a related company or to a third party, to merge with another entity, to insure or securitize its assets, or to engage in another form of corporate or financing transaction (including transfers made as part of insolvency or bankruptcy proceedings or as part of a corporate reorganization or stock sale or other change in corporate control). CHSINC may share your personal information in connection with the evaluation of and/or entry into such transactions.

Where Required or Authorized by Law

CHSINC may also disclose your personal information where authorized or required by law. For example, we may disclose your personal information to comply with a subpoena, in response to a law enforcement body with the lawful authority to obtain the information, pursuant to an investigation into the breach of a law, or to our legal counsel.

We want you to understand your choices and make informed decisions about how we use and disclose your personal information. There are several options available for you to manage your privacy preferences including, for example by managing your preferences within your account(s), contacting CHSINC directly, changing your browser or device settings, and/or by contacting third parties.Opting-Out of Marketing Communications from CHSINC

If you provide us with your e-mail address and “opt-in” to receiving messages from us via the e-mail address provided, you may receive electronic communications from us from time to time. These electronic communications will provide you with our contact information and a method to opt-out and unsubscribe from receiving marketing information and/or any further communications from us. You can opt-out of receiving these types of communications by updating your email preferences or clicking the unsubscribe link directly within the emails.

CHSINC may use your e-mail address to communicate with you regarding important matters, such as information about your account with one of our Solutions. You may not opt-out of receiving communications required by law, or necessary to provide you with requested services.

Tracking Technologies

You can disable cookies by adjusting the settings on your internet browser. Disabling cookies may affect your ability to access some pages on the Sites and some parts of the Solutions may not be accessible or may not function properly.

Advertising

We do not share personal health information. We also do not share your personal information with unaffiliated third parties for marketing or promotional purposes.

We do not control third parties’ collection or use of your information to serve advertising. These third parties may provide you with additional choices about how they use your information or ways to choose not to have your information collected or used in this way. You can opt out of several third-party ad servers’ and networks’ cookies by using one of the tools created by the Digital Advertising Alliance of Canada.

The security of personal information in our care is important to us.We have built security features into our Solutions to help healthcare professionals protect your personal health information when they are using the Solutions. Some of these features include access controls, unique user accounts, multi-factor authentication, threat detection, and active logging.

CHSINC takes precautions to help safeguard personal information we manage through the Solutions or is otherwise provided to us. We have made security arrangements to protect against unauthorized access, collection, use, disclosure, and disposal of personal information, in a manner appropriate to the sensitivity of the information. These measures include various administrative and technological safeguards including unique user accounts, and role-based access based on need to know. We also use security practices to protect our systems, which include but are not limited to regular monitoring of our systems for possible vulnerabilities and attacks, proactive penetration tests, encryption of data in transit and at rest, active logging, and employing intrusion detection and prevention systems. We also take steps to ensure that our third-party service providers provide similar or better privacy and security for the personal information they process for us.

As well, CHSINC will use care when destroying or disposing of personal information to prevent unauthorized access, use or disclosure of any personal information. CHSINC employees with access to personal information are required to respect the confidentiality of such information.

The safety and security of your personal information also depends on you. CHSINC is not responsible for any lost, stolen, or compromised usernames, passwords or for any activity on your account via unauthorized password activity. You should take steps to protect against unauthorized access to your account by, for example, choosing a robust password and keeping your username and password private. CHSINC is not responsible for any failure by you to secure your own devices and their access to the Internet or your use of public, unsecured networks. The Sites and Solutions may include links to external websites. Once you leave the Sites or the Solutions, this Policy does not apply. CHSINC is not responsible for the privacy practices, collection of personal information, or content of external websites.

Unfortunately, information systems, the transmission of information via the Internet and mobile platforms are not completely secure. Although we have designed features and employed security techniques to protect your personal information, we cannot guarantee the security of personal information at all times. Any transmission of your personal information is at your own risk.

EMR Advantage is only hosted on datacenters located in Canada and personal health information is always stored in Canada.CHSINC stores some business and client contact information on servers in the United States. Some personal information (including personal health information) may be processed outside of Canada. For example, peer-to-peer connections and video streaming on the Solutions are supported from within Canada, with fail-over servers located in the United States. CHSINC also engages third party service providers outside of Canada to process data for the purposes of improving data security. As a result, your personal information may be processed in the United States by one of CHSINC’s third party service providers and may be subject to the laws and access by government or regulatory organizations in the United States.

Most of the data that CHSINC manages is on behalf of health care providers and individuals through use of the Solutions. As described above, we also collect some personal information for use by CHSINC.Personal Information Managed on Behalf of Your Healthcare Provider

Personal information that is collected by your healthcare provider, including your personal health information, is the responsibility of the healthcare provider, being the custodian of that information. Your personal information associated with your relationship with that custodian will be subject to the retention policies and practices of the custodian.

Personal Information You Provide to CHSINC

Personal information collected by CHSINC for its use directly is maintained in accordance with applicable privacy legislation and CHSINC’s retention policies and practices. Generally, CHSINC stores your personal information for as long as it is reasonably necessary to fulfill the purposes we collected it for, except as otherwise permitted or required by applicable law or regulation.

For clients who have purchased CHSINC-hosted Solutions, CHSINC backs up client data and retains those backups for approximately 30 days. Data imports from health care providers may be retained for six months for data integrity confirmation purposes.

When the applicable retention period ends, personal information is scheduled for destruction according to our record retention policies. Where the personal information is stored in an electronic format, it will be deleted from the Solution or systems in which it is retained. Any backups of the personal information will exist until rotated out of the backup archives. Physical storage which is retired is put through a deep data wipe, degaussing and/or physical destruction designed to ensure there is no risk of personal information being recovered.

Under some circumstances we may anonymize or aggregate your personal information so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent.

You can challenge the accuracy and completeness of your personal information. It may be most appropriate for you to raise this with your healthcare provider who maintains your healthcare record.Accessing or Correcting Personal Information in a Medical File or stored on behalf of your Healthcare Provider

If you want to access or correct personal information in your medical file, including personal information stored in a Solution on behalf of your healthcare provider, you should make the request directly to your healthcare services provider. It is your responsibility to provide any updates to your personal information to your healthcare provider as appropriate.

Accessing or Correcting Personal Information Collected by CHSINC for Use by CHSINC

If you have an account with one of our Solutions, all personal information in your account and user profile is accessible by you. You can make changes to certain personal information that CHSINC holds about you, such as your contact information, by editing the information in your account. You are responsible for keeping the personal information in your account up to date and accurate. If you are a Medeo user, certain minimum personal information must be input in your account in order to use the Solution’s services. For example, users must share their name, email address and certain other account related information we may reasonably require for verification purposes.

In appropriate circumstances, CHSINC will amend personal information. It is your responsibility to provide any updates to your personal information to CHSINC in writing, as applicable.

You may request access to your personal information and/or correction of that information by contacting CHSINC in writing at the contact information noted below, with sufficient detail to enable CHSINC to identify the personal information being sought. When you contact CHSINC, we may ask for further information to confirm your identity and the nature of the information being sought.

After we receive your request for access to personal information, CHSINC may provide you with an estimate of when you can expect a response. In some cases, CHSINC may need additional time to respond to a request, in which case we will provide you with written notice of the extension. If you require the documents in an alternative format, we will make reasonable efforts to provide you with your personal information in that format.

Please note that in some cases, CHSINC may not provide access to personal information that we hold about you, such as where the denial of access is authorized by law. There are also cases where CHSINC may be legally required to refuse access to personal information. If CHSINC denies your request for access to personal information, we will advise you of the reason for the refusal, and will provide the name, title, and contact information of the designated person who can address the refusal.

CHSINC may charge a reasonable fee according to the cost required to retrieve and provide access to the requested information, or to provide it in a requested alternative format. We may provide an estimate of the fee in advance and in some cases, will require a deposit for all or part of the fee.

Questions or concerns about your personal health information should be directed to the healthcare provider from whom you received healthcare services.If you have a product, service, program, or are participating in a promotion, contest or event that is offered by a third party on behalf of CHSINC, the third party may hold certain of your personal information. Should you have any questions or concerns about their use of your personal information, we will direct you to the appropriate contact so that you may make enquiries as to that party’s privacy policies and practices.

Questions or concerns regarding this Policy, including the collection of your personal information, can be directed to the CHSINC Privacy Officer, who is responsible for ensuring CHSINC’s compliance with this Policy. You can contact the Privacy Officer using any of the following methods:

Mailing Address: 1902 Robertson Rd., Suite 204, Ottawa, Ontario, Canada K2H 5B8

Email: info@chsinc.ca

CHSINC takes any complaint about our privacy practices seriously. CHSINC will investigate all complaints. If CHSINC finds a complaint justified, we will take the necessary steps to resolve it. You will be informed of the outcome of the investigation regarding any complaint. If you are not satisfied with CHSINC’s response to a complaint, you may have options to exercise various complaint procedures, including with the relevant Privacy Commissioner or regulatory authority.