In this policy, we use the word "patient/client" to refer to anyone who has or is looking to book an appointment with Lab Health. We use the word “you” to refer to any individual user of our Services, such as a practitioner or staff member, an individual browsing or using our websites and web-based resources.
Why Lab Health Collects Personal Information
Information Lab Health Collects from You
Contact Information. We collect only your contact information that you choose to provide, such as your name, email address, phone number and personal health number, date of birth, etc, when you fill out our online forms or set up your user account for our Services. We use your contact information to activate your user account, give you access to the Services, and to send you notices about your user account. We may also use your contact information for marketing purposes, such as promotional emails, direct mail and sales contacts. You can opt-out of our marketing communications at any time by unsubscribing or contacting us at firstname.lastname@example.org.
Billing Information. When you have completed your first appointment, we also collect credit card information to process payment. Credit card information is provided directly to our payment processor and is processed in a PCI-compliant manner. We do not keep your credit card information. Note that when credit card information is referred to as being “stored”, this means we have a “token”. The token replaces sensitive information and acts as a non-sensitive placeholder that can be used by the payment processor to reference your credit card information when payments need to be processed. What this really means, is that we cannot go online shopping with your credit card. The information is triple encrypted like online-banking and Lab Health can only see the last 4 digits of the card number.
Insurance Information. We collect only the necessary insurance information required to complete insurance claims on your behalf. However, your consent must be obtained prior to us completing any insurance claims on your behalf. When you complete our online intake form you are given the option to accept or decline this option. You can choose to submit all insurance claims on your own. We just provide direct billing to insurance companies in an effort streamline process for you.
Log and Device Information. When you access and browse our Services, we collect information about how you are accessing our Services, such as your internet or mobile network connection, your browser or the type of mobile device you are using (if applicable). We use this log and device information to identify how our Services are being accessed and used so we can optimize them for the types of connections, browsers and devices being used. This information is not used to market or send promotions to you.
To learn about use of our websites, such as user traffic patterns and the effectiveness of our navigational structure
To identify email open rates in order to gauge the effectiveness of certain communications or marketing campaigns to clinics
To allow you to login to secure areas of our Services
To store your login credentials for easy access to our Services
Social Media. If you login to our Services using a third-party sign-in service, such as Google, Facebook Connect or Twitter, we will receive personal information from those services, such as your name, email address and profile photo, in order to pre-populate our online forms. We also include social media “Like” and “Share” buttons on our websites. These features may collect your IP address and the page you are visiting on our website. They may also set a cookie to enable the feature to function properly. Your interactions with these features are governed by the privacy policies of the third parties who provide them not by us.
Patient Data. Lab Health uses clinic and administrative management platforms to collect and store personal information from their patients and create patient records. These records may include a patient’s name, address, health insurance and billing information, medical charts, appointment history and other patient data (“Patient Data”). This information is referred to as “personal health information” and there are very specific privacy laws applicable to them. If you are a patient, Patient Data is collected from you when you visit Lab Health and when you set up an account with the Lab Health through our online booking website or an account is setup for you when you call or email to book an appointment.
Lab Health's Role. We retain the sole control over Patient Data and may be referred to as a “health information custodian”, a “covered entity” or a “controller” depending on the privacy laws. Lab Health is responsible for complying with laws and regulations governing the use of Patient Data, and for determining the legal basis for such use. In British Columbia, we are governed by the Personal Information and Privacy Protection Act (PIPA) as we are a private organization.
Lab Health uses Jane App and G Suite to complete the clinical and administrative processes for the clinic. These are service providers to Lab Health and may be referred to as an “agent” or “processor” of Lab Health. Jane App stores Patient Data in its secure data centers and makes it available to their users through our clinic management platform. Jane otherwise has no control over Patient Data. Jane app will only access Patient Data on the instructions of the Lab Health or its associated healthcare practitioners or staff or, in rare cases, where needed in order to prevent or address technical problems or if required by law or court order. G suite stores minimal Patient Data inputed by Lab Health. Lab Health uses G suite for the purposes of tracking insurance report timelines, sending emailing and faxes, communicate within our healthcare team and with insurance providers. G suite employs dedicated security professionals to work on protecting your data, including some of the world’s foremost experts in computer security. Just like all teams at G suite, this team is constantly innovating and making the future more secure, not just for G suite's billion users, but for business organizations as well. G suite has an outstanding track record of protecting user data. We protect this data from outside intrusions as well as insider threats. In addition, we tightly restrict and monitor any internal access to user data. The small set of G suite employees with access is subject to rigorous authentication measures, detailed logging, and activity scanning to detect inappropriate access via log analysis.
Storage Location. Patient Data is stored in Canada or the United States. When possible Lab Health selects options that keep all information stored in Canada. Please note that we use US-based service providers for appointment reminders sent by email or SMS and, therefore, Patient Data contained in appointment reminders will go through and may be stored outside of Canada. All our data centres and service providers maintain a high level of security and are compliant with applicable privacy laws here in British Columbia.
Patient Rights. Patients have certain rights with respect to their Patient Data, which may include knowing what information your Lab Health has about you, correcting any inaccurate Patient Data, obtaining a record of your Patient Data and, in certain circumstances, deleting or removing your Patient Data. Please note that Lab Health has strict legal and regulatory obligations around Patient Data and may not always be permitted to delete or remove Patient Data.
Questions about Patient Data. If you have any questions about your Patient Data or wish to exercise any or your patient rights, please contact our Privacy Officer at email@example.com or at 250 386 7254.
Sharing Your Information
We do not sell or distribute personal information to third parties for their own commercial or marketing purposes. We will only share personal information we collect in the following circumstances:
Suppliers and Service Providers. In order to operate our business and provide the Services to you, we may need to share a limited amount of personal information, including Patient Data, with our third-party suppliers and service providers. Before sharing personal information, we ensure that the third parties receiving the personal information have provided appropriate safeguards, and that privacy rights are protected and preserved. Some of the areas where we use third-party suppliers and service providers include:
PDF document form creator to help in filling out insurance forms
Cloud-based Fax services so we can communicate with Physicians, Department of National Defence for military patients, Customer support services to help us collect feedback and manage our support services
SMS tools for patient and staff communication
Reminder applications for administrative workflow notifications
Corporate Transactions. We may share personal information in connection with negotiating or carrying out a financing or acquisition of our business, a merger or amalgamation with another business, or a sale of all or part of our company assets. Before sharing personal information, we will ensure that appropriate confidentiality and non-disclosure undertakings are in place. We will not share Patient Data in these circumstances.
Compliance with Laws. We may disclose personal information to a third party if we are required to do so by applicable law, government request, court order or regulatory body. We may also be required to disclose personal information to enforce our legal rights, to enforce security requirements, or to respond to an emergency which we believe, in good faith, requires us to disclose personal information. In such instances, if permissible, we will make every reasonable effort to give you as much notice as possible regarding the disclosure of your personal information, what information was disclosed and why. We will not disclose Patient Data unless legally required to do so.
We protect your personal information, including Patient Data stored in our cloud platforms, by:
Using industry standard security controls such an end to end encryption and an SSL (Secured Sockets Layers) certificate to ensure information is transmitted over a secured connection between your browser and our web server.
Using state-of-the-art data centres with appropriate security and compliance certifications, such SOC 2 and EU-US Privacy Shield that are HIPAA compliant.
Having our personnel (practitionners, admin and Esquimalt Rec centre staff) and any Lab Health affiliated personnel such as, bookkepper, students, mentees, volunteers, must sign strict confidentiality agreements to ensure they understand the confidential nature of the data we process and only accessing your account when necessary for the provision of Services.
All personnel and affiliated personnel are access to the level of information they need to do their job to provide their Services. All levels of access are specifically selected for each personnel and affiliate. Those with higher level access to the Patient Data have undergone speciality training on privacy and secure data access.
All account accesses for you and our personnel require password protection with an individually selected password set by the user only and not shared with anyone else. We cannot access or identify your password. The only way to recover a password is for you to initiate a reset via the email address or mobile phone number you use for the Services.
While we employ industry standard measures to protect your information, no electronic communication can ever be completely secure. You share responsibility for protection of your personal information by setting a strong password and by keeping your username and password confidential.
We retain personal information only for as long as necessary to achieve our stated purposes, or as required by applicable law. For example, Contact and Billing information is kept for as long as your account is active and for a reasonable period after it has been deactivated in the event you wish to re-activate the account. User account information is retained as long as necessary to comply with Patient Data storage and access laws. All Patient Data must be kept for 16 years in British Columbia from the date of last entry or, in the case of minors, 16 years in British Columbia from the time the patient would have reached the age of majority (either age 18 or 19 years). Credit card information is never kept or stored on any Lab Health computer, server or document. All credit card information inputed into Jane App is instantly transfers that data to one of our payment processing partners through encrypted transfer. Our PCI-compliant payment processing partners store that information for Jane. The default behaviour of these partners is to store the credit card information so that refunds can be processed.Our partners for payments have been very carefully chosen, and they use the same 128-bit encryption as the big banks around the world. They send Jane back an encrypted key (a token) which represents the credit card so that Jane can continue to bill against that card if the customer wishes, but note that this token can’t be used outside of Jane. The only information that Jane stores about the credit card are the last 4 digits and the expiration date so that the customer will know which card they gave you.
Online/In person Credit Card Payment Security
Credit card information is never kept or stored on any Lab Health computer, server or document. All credit card information inputed into Jane App is instantly transfers that data to one of our payment processing partners through encrypted transfer. Our PCI-compliant payment processing partners store that information for Jane. The default behaviour of these partners is to store the credit card information so that refunds can be processed.Our partners for payments have been very carefully chosen, and they use the same 128-bit encryption as the big banks around the world. They send Jane back an encrypted key (a token) which represents the credit card so that Jane can continue to bill against that card if the customer wishes, but note that this token can’t be used outside of Jane. The only information that Jane stores about the credit card are the last 4 digits and the expiration date so that the customer will know which card they gave you.
Individuals have certain rights with respect to their personal information. These rights are set out below. If you are a patient of one of our Lab Health clinics, please contact your clinic or practitioner to exercise any of these rights with respect to your Patient Data.
Correction and Deletion. We will make reasonable efforts to ensure that the personal information we collect from you is accurate and complete. You may update, correct or delete your account information at any time by logging into your user account and modifying your personal information, including your preferences to receive messages from us. You may also update, correct or delete your personal information by contacting us as noted below.
Withdrawing Consent. Where we have relied on your consent to use your personal information, you have the right to withdraw that consent at any time by contacting us as noted below. In addition, all our marketing email messages contain the ability to automatically “opt-out” or unsubscribe from our mailing lists and marketing messages.
Access and Portability. You have the right to request a record of the personal information that we have collected about you and to ask that the information be provided in a structured, used electronic format (where applicable and technically feasible). There may be some cases where we cannot provide you with certain information about you if it would mean disclosure of personal information of another person or other confidential information, or if it would compromise our security systems. If you require access to your personal information, please Contact Us. We will respond to you within thirty (30) days of receiving your request. We may charge a fee where permitted by applicable law.
Complaints. You have the right to lodge a complaint with a supervisory authority. You may also contact the Information and Privacy Commissioner of British Columbia (for British Columbia matters) ( http://www.oipc.bc.ca/ ) or the Privacy Commissioner of Canada (for international matters and inter-provincial matters) ( http://www.priv.gc.ca/ ).
Lab Health Services Ltd.
527 Fraser Street
V9A 6H6 Canada
Tel: 250 386 7254
Attention: Privacy Officer
Updated: April 28, 2020