Members Health provides its users the capability to engage in secure video consultations with health care providers from the privacy and convenience of a location they choose as secure and appropriate. This means personal information and personal health information is collected by Members Health. This information is highly-sensitive and protected by the Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA) and all applicable provincial personal health information protection legislation throughout Canada.
By law, personal information is that which relates to an identifiable individual, to the exclusion of business contact information (name, title, work address, work phone number or work email address). Personal health information includes information that relates to an identifiable individual’s health, physical and/or mental health history, including family health history, and/or medical treatment.
Information we collect
From patients: When consulting a health care provider registered with Members Health, we collect: Name, email and phone number of the patient, date and time of the appointment, confirm address info and health card details, together with any written instructions the provider has added to the "notes for patient" after the appointment, and files attached by the provider or patient during or after the appointment inside the platform, usually as PDF or Word documents
From health care providers: We collect name, business contact information, availability and specialization details.How we protect the information we collect: Members Health protects personal and personal health information through integrated physical, technological and administrative safeguards:
Physical safeguards: Members Health premises do not house any of the electronic equipment upon which personal health information is permanently stored, this information is stored directly on Telus supplied and managed Secure Servers inside highly secure Telus Facilities, none of which can be accessed without Telus authorization and protocols being followed.Access is controlled by digital tokens, codes and monitored in a manner that keeps all personal and personal health information secure from unauthorized access.Members Health electronic equipment does include portable equipment, however these devices do not locally store personal or personal health information, they are merely the conduits to secure cloud based data.All necessary backups are safely locked away, offsite, by third parties. Members Health does not keep personal or personal health information on paper.
Technological safeguards: Members Health stores all personal and personal health information with Telus on Telus Secure Servers based in Toronto, and, also with a third party in Montreal, Canada, with Amazon Web Services Secure Cloud (AWS). AWS is certified as compliant with ISO/IEC Standard 27018:2014 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. In addition to the independent certification process under ISO/IEC 27018:2014, this Standard also includes the right to audit AWS for compliance.
The secure video and/or text consultations we utilize are encrypted with the AES cipher using 128-bit keys.
Here are the details of our encryption: • The basic voice, video, and text traffic are converted into cipher, a form which cannot be understood by anyone except authorized parties. • The conversion is done with random keys that change from the beginning to the end of the conversation to make it even more secure. • The keys last a short period of time and are neither stored nor persistent anywhere. Members Health destroys or anonymizes all personal and personal health information when it is no longer necessary to deliver service. Members Health employees can only gain technological access to personal information or personal health information collected by Members Health: • With a robust password, based on required elements. • Upon authorization, granted strictly on a need-to-know basis, defined according to job requirements.
Access is monitored through technological audit trails. Audit trails are reviewed to ensure compliance.
Administrative measures: Members Health has appointed a Designated Privacy Contact, who acts as Chief Privacy and Security Officer (CPSO) firstname.lastname@example.org, Tel. 1 800 484 0152 - responsible for information systems monitoring and information security policy and procedure management.
The CPSO is responsible for compliance with Members Health’s privacy program including: • Undertaking threat and risk assessments on a regular basis and as systems are approved • Adopting policies and procedures on the basis of threat and risk assessments to mitigate all identified risks, and updating these policies and procedures as necessary.
Members Health users may access their personal information whenever they wish, by contacting our CPSO.Upon the express request of a user, Members Health will immediately close the user’s account and destroy or anonymize all personal information related to that account.
Members Health senior management receives regular reports on privacy compliance and, in turn, reports to the Board for oversight.
Members Health uses external services for the provision of data storage and these parties are regularly audited by a third party to ensure they meet our privacy obligations. This is part of a process for Members Health to reassess all policies and procedures on an ongoing basis to ensure that legal requirements are met and personal and personal health information is highly secure.
How we use the information we collect Members Health will never use personal or personal health information for purposes other than those for which it is provided – with express consent – and those necessary to deliver the service requested by our users.
Members Health will never sell the personal information or personal health information it collects, nor otherwise make any such information available to a third party in exchange for remuneration.
Members Health will never disclose personal or personal health information, except as required by law and upon demonstrated lawful authority, as determined by our Corporate Legal Counsel.
Should Members Health conduct market or product research, it will never use personal nor personal health information, which is traceable to any individual; rather, it will fully anonymize information, meaning the risk of this information being traced back to a given individual is reduced to the greatest extent possible.
Breach response There is no total guarantee against data breaches. However, as described above, Members Health has taken all steps it believes reasonable as measures to prevent breaches.
Furthermore, in the event of a breach, Members Health would immediately mitigate its impact by: • Notifying users at the first reasonable opportunity, namely as soon as we identify the breach • Applying remedial measures immediately.