Privacy Policy Overview

This Privacy Policy establishes rules to govern the collection, use, and disclosure of personal information collected by Bloom Psychedelic Therapy & Research Centre in the course of business, in compliance with federal and provincial privacy laws including the Personal Information Protection and Electronic Documents Act (Canada) and the Personal Information Protection Act (Alberta).

This Privacy Policy applies to all individuals whose personal information the Company collects uses or discloses in the course of doing business. This includes individuals who are clients and all individuals who are contract workers, contractors, and consultants to the Company. It is our policy to only disclose your personal information as required or authorized by law or as otherwise set out in this policy.

We reserve the right to change this policy from time to time as industry practice, the law, and our procedures in this area may change from time to time. We will post the current version of this policy on our website footer.

Principles:

1. The clinic will not collect, use or disclose individually identifying health information if an aggregate or other non-identifying health information is adequate for the intended purpose.

2. When collecting, using, or disclosing health information, the clinic will only collect, use or disclose the amount of health information that is essential to enable the clinic, or the recipient of the information, to carry out the intended purpose.

3. Before using or disclosing health information the clinic will make a reasonable effort to ensure that the information is accurate and complete.

Collection and Use of Identifying Health Information

The clinic will not use identifying health information to market any service for a commercial purpose or to solicit money without the express consent of the individual who is the subject of that information.

4.1      Health information will be collected directly from the individual it is about or his/her authorized representative unless the indirect collection is authorized by HIA.  Examples of the indirect collection are:

·         When the individual authorizes collection from a third party (this authorization can be verbal).

·         When the individual is unable to provide the information and the custodian collects the information from an authorized representative of the individual.

·         When direct collection would compromise the interests of the individual, the purpose of collection, the accuracy of the information, or the safety of another person (e.g. patient is not being completely truthful or cannot remember information).

·         When the direct collection is not reasonably practicable (e.g. language barrier, or cognitive impairment).

·         When information is collected from another custodian during referral or consultative processes.

·         When the information will be used for a purpose authorized under HIA section 27, including data matching.

4.2      When collecting health information directly from an individual, the clinic will inform the individual of the purpose for which the information is collected, the legal authority for the collection, and the title and business contact information of a staff member who can answer questions.  Notification will be provided by means of a signor verbally as appropriate.

4.3      Clinic affiliates shall only use individually identifying health information for a purpose authorized in section 27 of the HIA, and only as required to perform their assigned duties.  Authorized purposes can include:

• Providing health services;

• Determining of verifying the eligibility for an individual to receive a health service;

• Conducting research or performing data matching or other services to facilitate another person’s research (for research approved by a Research Ethics Board);

• Providing for health services provider education;

• Carrying out any purpose authorized by a law of Alberta or Canada;

• For internal management purposes, including planning, quality improvement, monitoring, reporting, or obtaining or processing payment for health services.

4.4      The use of the clinic’s paper and/or electronic patient charts, of Alberta Netcare, and of other electronic applications may be monitored to ensure appropriate confidentiality, and security. Audit and access logs will be checked by the clinic system administrator periodically and/or if a breach of security or privacy is suspected. Alberta Health conducts monthly audits of the information logs of Alberta Netcare. A participating custodian and authorized affiliate may access and use information  in Alberta Netcare if, and only when:

1. They are in a current care relationship with the individual who is the subject of the information;

2. They are providing health services to the individual either in the presence or absence of that individual;

3. Their access to the information is necessary for the provision of the health services or for making a determination for a related health service; and

4. The information is related to and necessary for the current session of care,

Unless alternate use or disclosure is authorized or required by law, or with the knowledge and consent of the subject individual. Individuals have the right to request the Information and Privacy Commissioner to review access, privacy, and correction decisions made by the clinic.

4.5      The HIA specifies that no person shall knowingly use individually identifying health information to market any service for a commercial purpose or to solicit money unless the individual who is the subject of the health information has specifically consented to its use for that purpose. [HIA Section 107(2)(f)]

4.5.1     While this would seem to imply that at the least contact information can be used to market services available, patient information can be used for social media testimonials or relations information with patients to develop clinic “brand”, etc.  However, there is nothing explicit under the Use provisions of the HIA authorizing such uses.

4.5.2     At the least, custodians and clinics should consider contacting their related professional associations/colleges for guidance on marketing activities with patient consent.  And every effort should be made to ensure proper consent for the specific marketing purpose (not just a blanket marketing consent) is obtained from each individual, with a clear explanation of the purpose they are consenting to, how the information will be used, and their right to revoke consent at any time.

4.5.3     A further consideration is this activity, with no explicit provisions in the HIA detailing it, is open to constant interpretation and reinterpretation by regulators, and requirements can change with these interpretations.  Some or all types of marketing activities may require a PIA submission detailing use, information flow, risks, and safeguards before they are undertaken.  Some types of marketing activities previously permitted could change to a not-permitted status and vice versa.  It is highly recommended that the custodians and clinic contact OIPC for current interpretations when contemplating such activities.

Disclosure of Health Information

5.1      The clinic may disclose individually identifying health information to the individual who is the subject of the information or to his/her authorized representative (see Appendix I: Definitions).

5.2      Individually identifying health information may be disclosed to a person other than the subject individual if the individual has consented to the disclosure or without consent as allowed per HIA section 35 provisions.

5.3      The clinic will normally require written consent from the individual to disclose identifying health information to anyone other than the individual or his/her authorized representative, or to another custodian (see clinic “Consent for Disclosure of Individually Identifying Health Information” - Appendix II:  Forms). Consent must be provided in writing or electronically, and must include:

·         the information to be disclosed;

·         the purpose for which the information may be disclosed;

·         the identification of the person receiving the information;

·         an acknowledgment that the person providing the consent is aware of the reasons why the health information is needed, and the risks and benefits of either consenting or refusing to consent;

·         the date the consent is effective and expiry date (if any); and

·         a statement advising the person that they may revoke the consent at any time. 

5.4      In deciding how much information to disclose, a custodian must consider as an important factor, any expressed wish of the individual who is the subject of the information relating to disclosure of the information, together with any other factors the custodian considers relevant. [HIA s. 58(2)]  (see “Procedure:  Release of Information and Disclosure Log” for our clinic procedure for recording of expressed wishes of patients). 

5.5      In all cases, the clinic will disclose the least amount of identifying health information at the highest level of anonymity possible that the custodian considers acceptable to fulfill and meet the intent and/or need of the request.

5.6      The clinic may disclose individually identifying health information without the consent of the subject individual.  A notation of the disclosure will also be made on the chart (a copy of a letter or fax cover sheet may serve this purpose). (See also Procedure:  Disclosure Log)

a)     To another custodian or affiliate, for the legally authorized uses identified in s27 of the HIA.

b)     To a person who is responsible for providing continuing care and treatment to the individual.

c)     To family members of the individual, or a close personal friend if the information is provided in general terms and concerns the presence, location, and condition of the individual on the day on which the information is disclosed.

d)     To contact family members or a close personal friend of the individual, if the individual is injured, ill or deceased.

e)     To comply with a subpoena, warrant, or court order.

f)       If the disclosure is authorized or required by provincial or federal legislation (e.g. Public Health Act). 

g)      For the purpose of a court proceeding, or proceeding before a quasi-judicial body to which the clinic is a party.

h)      To the successor custodian of the Attending Custodian.

i)         To a health professional body for the purpose of an investigation, disciplinary proceeding, practice review, or inspection.

j)        To a researcher who has signed a written agreement with the Attending Custodian in accordance with section 54 of the HIA and has provided the clinic with a copy of the Ethics Board’s response to the research proposal.

5.7      A custodian that discloses a record containing individually identifying diagnostic, treatment, and care information without the patients’ consent must make a notation of the disclosure [HIAs.41(1)]ck.  This notation must be maintained for 10 years after the disclosure.  (See Procedures:  Disclosure Log). 

Disclosure to Protect Public Health and Safety

6.1      *Discretionary disclosure of individually identifying health information to the police or Minister of Justice and Attorney General is permitted where a custodian reasonably believes the information relates to the possible commission of an offense under a statute or regulation of Alberta or Canada, and that the disclosure will protect the health and safety of Albertans.  (Refer to Sections 37.3(1) and 37.3(2) of HIA). 

The health information the custodian may disclose includes:

·         the individual’s name;

·         the individual’s date of birth;

·         the nature of any injury or illness of the individual;

·         the date on which a health service was sought or received;

·         the location of where the health service was sought or received;

·         whether any samples of bodily substances were taken from an individual; and

·         identity, contact/location, and service type information about a health service provider who provided a health service to the individual.

Disclosure to Prevent or Limit Fraud or Abuse of Health Services

7.1     *Discretionary disclosure is permitted to the police or to the Minister of Justice and Attorney General under provision s37.1 of the HIA where the custodian reasonably believes the disclosure will prevent or limit fraud or abuse of health services and the disclosure will detect or prevent fraud or limit abuse in the use of health services.

For individuals suspected of fraud or abuse of the health system, the health information that may be disclosed is:

·         the individual’s name;

·         the individual’s date of birth;

·         the individual’s health number;

·         the nature of any injury or illness of the individual;

·         the date on which a health service was sought or received;

·         the location where the health service was sought or received;

·         the name and the date of any drug provided or prescribed to the individual; and

·         Identity, contact/location, and service type information about a health service provider who provided a health service to the individual.

Situations Where Disclosure May or Must be Refused

7.2  The Custodian must refuse to disclose health information to an applicant

a)   If it is about an individual other than the applicant, unless 

i.)    it was originally provided by the applicant in the context of receiving a health service, or

ii.)   the applicant has authority under Section 104 of the HIA to receive the information (e.g. guardian of a minor, executor of an estate for purposes authorized under the Act).

b)   If it sets out procedures or contains results of an investigation, disciplinary proceeding, practice review, or an inspection related to a health services provider; and

c)   If the disclosure is prohibited by provincial legislation.

7.3   The custodian may refuse to disclose health information if the disclosure could reasonably:

a)    Be expected to result in immediate and grave harm to the applicant’s mental or physical health or safety, or threaten the mental health or physical health or safety of another individual;

b)    Lead to the identification of a person who provided health information to the clinic in confidence; and

c)    Be expected to prejudice the use or results of audits, diagnostic tests or assessments.

7.4  When individually identifying health information is disclosed in any of the above circumstances where information is disclosed without the consent of the individual, a record shall be made of the name of the person who received the information, the date, and purpose of the disclosure, and a description of the information disclosed. This record of disclosure must be retained for 10 years following the date of disclosure as per HIA s.41(1).

Additional information is available from the Health Information Act Guidelines and Practices Manual, available at: 

http://www.health.alberta.ca/documents/HIA-Guidelines-Practices-Manual.pdf

Section 1.3.2 “How the Act Works” (page 9), and the “Disclosure of Health Information Under HIA” Decision Tree (page 212 – 218).

Authentication of Recipient

8.1  Clinic staff shall take reasonable steps to ensure the disclosure is made to the person authorized and intended to receive the information.  This involves verifying and authenticating the identity of any individual to whom health information is going to be disclosed prior to the disclosure occurs.  Some examples of proof of identity include photo identification (i.e., a driver’s license, passport, etc.), a health card, or organization name tag or business card.  Other methods of authenticating include confirming the fax number provided before sending, or confirming the fax was received by the intended recipient.

Notation and Notification

9.1  When a record containing individually identifying diagnostic, treatment, and care information is disclosed in accordance with section 35 of HIA, the clinic will make note of the following information and place it on the patient’s health record [HIA s. 41(1)] and clinic disclosure log (if separate). 

·         the name of the person to whom the information is disclosed;

·         the date and purpose of the disclosure (note: the disclosure purpose is not required for databases with electronic logs); and 

·         a description of the information disclosed 

9.2     When individually identifying diagnostic, treatment and care information is disclosed to anyone other than the individual themselves or another custodian (i.e. a third party) with or without consent, the clinic will inform the recipient in writing of the purpose of the disclosure and the authority under which the disclosure is made.  This will be done in the covering letter or fax cover sheet accompanying the information (see clinic “Form #3 Notification to Recipient to Accompany the Disclosure of Individually Identifying Diagnostic, Treatment and Care Information by a Custodian – Disclosure With the Subject’s Consent" OR “Form #4 Notification to Recipient to Accompany the Disclosure of Individually Identifying Diagnostic, Treatment and Care Information by a Custodian – Disclosure Without the Subject’s Consent” - Appendix 2:  Forms).

Cookies

In addition, we also receive and send data from our servers and from your browser when you visit our website, including your IP address, the time and information about the page you requested, and the website through which you were linked to our site if any. We use tracking technologies, such as Google Analytics tracking technologies in a variety of ways, including the following: keeping count of return visits to our site; accumulating and reporting anonymous, aggregate (data collected in mass), statistical information on website usage; and determining which features users like best. Finally, your Internet browser has a feature called “cookies”, which stores small amounts of data on your computer about your visit to our site. Cookies tell us nothing about who you are, however, unless you specifically give us personal information. You do not need to have cookies turned on to visit bloompsychedelic.com. You may also elect not to allow cookies to be collected by selecting certain options on your browser.

Challenging Compliance

Inquiries or complaints concerning compliance with this Privacy Policy should be addressed, in writing, to the Company's Privacy Officer.

If you are not satisfied with the response from our Privacy Officer after making a complaint, you may have recourse to additional remedies under applicable privacy legislation. For further information, please contact the Federal Privacy Commissioner or your provincial Privacy Commissioner, as applicable.

Questions and Complaints

If you have a question or concern about any collection, use, or disclosure of personal information by the Company, or would like to request access to your own personal information, please contact our Privacy Officer at privacy@bloompsychedelic.com