PIPEDA, HIPAA, & Privacy

One of the most important aspects of an EMR is its secure handling of private information.  Thousands of private medical charts are being stored on our servers on a daily basis, and we believe it is important for you to know just what measures we have taken and what guidelines we are following to ensure the privacy and security of your data.
‍
PIPEDA (The Personal Information Protection and Electronic Documents Act) is a set of rules and guidelines developed in Canada that govern the collection, use or disclosure of personal information about an identifiable individual; in our case, medical records.  The Office of the Privacy Commissioner of Canada has prepared a guide to help organizations like SmartND fulfill their responsibilities under PIPEDA.  The following is a summary of the guidelines and steps that SmartND has taken to comply with PIPEDA.

Keep in mind that although there may be some ambiguity in the wording used in this article, we only store medical information – we do not collect it.  As such, it is assumed that the practitioner who is collecting the information from their patients has obtained the proper consent to do so.  Although SmartND provides methods for practitioners to record that they have obtained consent from their patients, we do not monitor nor do we verify or audit this consent.

The accountability guideline requires that one individual be taken as accountable for adherence to the principles of PIPEDA.  SmartND has appointed a Privacy Officer to take on this accountability and ensure that SmartND complies with all aspects of PIPEDA.  The Privacy Officer for SmartND is Mr. Venk Prabhu.  One of the roles of the privacy officer is to answer the following questions:

We collect personal contact information and store medical information entered by healthcare practitioners and their patients.  Some of this information can be considered sensitive.

We collect and store this information as a service to health care providers so that they can more effectively fulfill their responsibilities to their patients.  A health care provider’s role is to collect information from their patients in order to assess their condition and provide a treatment plan.  We provide a service to help store this information, and allow health care providers  as well as patients the ability to retrieve this information as necessary.

We collect this information through a cloud-based service called SmartND.

Personally identifiable information is never used for any purpose other than to display this information to specific healthcare providers.  Non identifieable information is used to generate statistical reports on the usage of the SmartND service.  These statistical reports do not contain any personally identifiable information, and are only used to improve the service and/or provide valuable statistical insights into the industry.

This data is stored in the country of origin, on physical computer servers, under 24/7 security.

The information is secured in many ways.  The physical databases are secured by 24/7 security by reputable third-party hosting providers.  The service itself uses SSL-based security to protect data entered into our service via the web-based application.

Healthcare practitioners have access to all the data they have entered, and any data that has been share with them by other practitioners.  Patients have access to their treatment plans and any other data that has been shared with them by the practitioners.  Select senior SmartND staff have access to the databases but adhere to a strict access procedure where medical information is concerned.  Every database access to private information is based on a client request, and we get your written permission before accessing your data.  Your data is stored in such a way that our staff cannot easily determine who is the subject of the data being accessed.  In most cases, troubleshooting on your account can be done without any access to private medical data at all, but in those few instances where we need to access your medical charts directly in order to help you troubleshoot a problem, this access is very targeted to the specific area we are helping you with.

Personally identifiable information is never disclosed to any 3rd party by SmartND, unless required to by law.  In the case of a legal requirement, SmartND will first communicate this to the practitioner involved, and give them enough time to oppose the request.

Data on SmartND servers will not be disposed of.  If ever SmartND is required to dispose of data, all data will be returned to the author of the data prior to disposal.

This guideline requires us to identify the reasons for collecting personal information at the time of collection:  Personal contact information which is collected through the process of creating an account on SmartND is required in order for us to identify the individual creating the account.  This identification is used to secure the account against unauthorized access, and to establish customer eligibility for special offers or discounts.   We do not collect medical information and only serve as a storage service for this data.

This guideline requires us to obtain informed consent for the collection of personal data.  As we do not collect medical data, we do not obtain consent from patients – this is the responsibility of the practitioner.  However we do collect personal information for the purpose identified above, and we use this information as described above.  As the process of opening an account for online services is not a novel use of personal data, we assume that the individual creating an account on our service is implying consent that we use this personal information for the purposes of opening an account.  The individual opening an account on SmartND is also required to agree to our Terms of Service and Privacy Policy.

This guideline requires us to not collect information indiscriminately.  All the information that we collect ( we do not collect medical information) is used as described above, and no irrelevant information is collected.

This guideline requires us to use collected information only for the reasons specified above, and to disclose this information only if necessary and if authorized by the PIPEDA guidelines.  SmartND does only use the information collected for the purposes identified above.

This guideline requires us to be accurate about the use of the information collected.  Our information collection methods are tested and do accurately store the right information in association with the right individual.  If ever an error does occur, we are available to discuss the error and remedy it upon request.

This guideline requires us to use appropriate safeguards to protect personal information against loss or theft, unauthorized access, disclosure, copying, use or modification.  Our safety protocols are identified above, and we are using industry standard SSL connections during data collection to prevent theft of sensitive information.

This guideline requires us to be open about the method we have used to safeguard personal information.  This document serves that purpose.

This guideline requires us to allow individuals to have access to any personal information we store about them.  Any medical information stored on our servers is always accessible to the practitioner who collected and authored the information.  Should a patient request information from us regarding personal data that has been entered into our system by a practitioner, the practitioner will be contacted immediately and informed of this request.  The practitioner will then be given an appropriate amount of time to respond to the patient’s request.  Patients must make their request for personal information through a practitioner.

This guideline requires us to provide a simple means for our users to place complaints.  Complaints may be sent via the contact form below.  We will investigate all complaints received.