PHYSICIANS SIGN IN
PATIENT RESOURCES

Privacy Policy

This privacy policy pertains to the Information Practices of Regional Medical Associates (RMA), its products and services.

Collection, Use, and Disclosure of Personal Information ("PI") and Personal Health Information (“PHI”)

Personal Information (“PI”) means recorded information about an identifiable individual or that may identify an individual that is received or collected by RMA to provide products and services. PI includes (i) personal information as such term is defined in the Personal Information Protection Electronic Documents Act; (ii) personal health information as such is defined in the Personal Health Information Protection Act (Ontario). PI does not include information about RMA’s employees in such employees’ capacity as employees of RMA, neither does it include the name, title, contact information or designation of an individual that identifies the individual in a business, professional or official capacity.

RMA is committed to protecting any information gathered and keeping it secure. As such, PI is not disclosed or shared to unauthorized third parties except as required by the laws of Canada and/or the province of Ontario, and as described herein.

RMA receives PHI as agent of the health information custodian in accordance with the requirements of s.17 and s. 10(4) of the PHIPA and its related regulations, as part of the provision of products and services of its users.

RMA will use as much PHI as is reasonably necessary to provide products and services to its members and will make PHI available only to those employees, agents or subcontractors who require access in order to satisfy those obligations.

Practices to Protect PHI

RMA takes appropriate safeguards to prevent theft, loss, and unauthorized access, copying, modification, use, disclosure, or disposal of PHI. Without limiting the generality of the foregoing, RMA takes reasonable steps to ensure that all PHI is securely segregated from any information owned by third parties, including access barriers, physical segregation, and password authorization.

RMA educates its employees, agents and subcontractors on privacy laws and policies and take reasonable steps to ensure compliance through staff training and confidentiality agreements.

RMA ensures that its employees, agents and subcontractors who are fired, resign, or no longer require access to PHI from RMA return all PHI to RMA and can, thereafter, no longer access applications, hardware, software, network, and facilities belonging to RMA.

RMA will revoke any user’s access to PHI if security is breached and on RMA’s reasonable request.

RMA will never lease or sell the PI or PHI it collects.

RMA will not disclose PI or PHI to third parties except as contemplated in this Privacy Policy and as required by law or upon demonstrated lawful authority.

RMA uses third-party service providers to host servers in Ontario. These third-party service providers may have access to PI as an incidental result of the services provided by such third parties to RMA, but the access of such third parties to such information is strictly controlled in accordance with the safeguards detailed in this Policy.

The type of information RMA is legally required to disclose may relate to criminal investigations or government tax reporting requirements. In some instances, such as a legal proceeding or court order, RMA may also be required to disclose PI to authorities. Only the information specifically requested will be disclosed and RMA takes precautions to prove that the authorities making the disclosure request have legitimate grounds to do so.

PI may be disclosed in situations where RMA is legally requested to do so, such as in the course of employing reasonable and legal methods to enforce users’ rights or to investigate suspicion of unlawful activities. RMA may release certain PI when it is believed such release is reasonably necessary to protect the rights, property and safety of RMA, its members and employees. If required to release PI, RMA will make every effort to notify the relevant parties about the proceedings.

Usage and Aggregate Data

RMA collects usage information from users of our products and services. The purpose of this collection is to understand how users access and use the services to enhance and optimize our services. Usage information and data could include, but is not limited to, the user’s device type, device identifier, IP address, browser type, operating system, duration of use, number of messages sent or received, and times at which the applications were accessed and used. In addition, RMA will collect aggregate data about a group or category of services or users. This information, as well as the PI collected, enables RMA to analyze trends, administer RMA’s products and services, troubleshoot, enhance, and improve RMA’s products and services.

RMA maintains the right to inform our users about any change that may affect information collected or stored.

RMA reserves the right to use the contact information of users for the purposes of communications regarding any aspect of a user’s account or corresponding services and products. Users will have the option to participate or opt out of optional communications (e.g. news, events) while mandatory communications (e.g. security updates, product announcements/revisions) will always be sent to all active users.

Data Retention

RMA reserves the right to reject, suspend, alter, remove or delete data if it breaches our terms and conditions or is necessary to protect RMA or others where RMA has reasonable grounds for believing that a criminal act has been committed, or if required by law.

RMA processes and stores the user’s messages, logs, contact data, and other related information in order to provide RMA’s products and services to the user. Data will be stored for seven (7) years in a secure and private manner or deleted as per direction from the user as allowable by operational needs and relevant law. RMA maintains security and privacy policies and procedures to ensure all measures are taken to maintain the integrity of the data in our care.

Control of User Data

RMA takes reasonable steps to protect information collected from users to prevent loss, misuse and unauthorized access, disclosure, alteration and destruction.

RMA has appointed a Designated Privacy Contact who acts as Privacy Officer (PO) responsible for information system monitoring and information security policy and procedure management. The PO is responsible for compliance with RMA’s privacy program including,

  • Undertaking and/or gathering from third-party service providers Privacy Impact Assessments and Threat and Risk assessments regularly
  • Adopting policies and procedures on the basis of Privacy Impact Assessments and Threat and Risk assessments to mitigate all identified risks, updated as necessary

RMA users may access their PI by accessing their account and, should they require assistance, by contacting RMA’s PO by email at rmapriv@mcmaster.ca or by mail at the following address:

Regional Medical Associates
c/o Privacy Officer
Suite 302 – 1685 Main St W
Hamilton, ON L8S 1G5, Canada

RMA’s main safeguard measure to restrict access to its products and services is a layered approach to authentication including a username and two additional verification factors. Every user must keep their verification factors safe to ensure that only they have access to view the private information they have been authorized access to. Users must immediately contact RMA if they believe any of their verification factors have been compromised or misused.

Notification of and Communication with RMA

Users may contact RMA’s PO to make enquiries on RMA’s privacy practices or to the accuracy of their PI, and to request the update, correction or deletion of such information or account. Any query, comments or concerns can be sent by email at rmapriv@mcmaster.ca or by mail at the following address:

Regional Medical Associates
c/o Privacy Officer
Suite 302 – 1685 Main St W
Hamilton, ON L8S 1G5, Canada

Users shall report to RMA’s PO at their first reasonable opportunity after they become aware of any use, disclosure (including being legally compelled), theft, or unauthorized access of PHI.

Governing Law

This Privacy Policy shall in all respects be governed by and interpreted, construed and enforced in accordance with the laws of the Province of Ontario and the laws of Canada applicable therein.

Cookies

Our Websites may use “cookies” to enhance the user experience. Web cookies are very small text files that are stored on the user’s computer from a webpage to keep track of information about the user’s browsing on that site. The use of cookies allows us to capture standard web traffic information, such as the time and date the user visited our websites, their IP address, and their browser information. In no circumstances do the cookies capture any information that can personally identify the user. The user may choose to set their web browser to refuse cookies, or to alert the user when cookies are being sent. If the user sets their web browser to disable cookies, some parts of the website may not be accessible to the user.