PIPEDA COMPLIANCE
Protecting Personal Health Information in Accordance with Canadian Privacy Laws
Framework Consulting Corp. d/b/a MyMedPro.io is fully committed to compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial health privacy legislation. As your trusted Data Processor, we implement comprehensive privacy safeguards that meet or exceed Canadian privacy requirements.
OUR CANADIAN PRIVACY COMMITMENT
Data Processor Status
Framework Consulting Corp. operates as a Data Processor under PIPEDA and provincial health privacy laws, providing AI-powered healthcare communication services to healthcare providers (Data Controllers).
We:
Process personal information only on your instructions - No independent processing purposes
Maintain strict data segregation - Each client's data is completely isolated
Respect provincial health privacy laws - PHIPA (Ontario), HIA (Alberta), PIPA (BC)
Provide full transparency - Complete audit trails and compliance documentation
Privacy Foundation
✅ Data Processing Agreements (DPAs) Required - Signed before any personal information processing
✅ Designated Privacy Officer - Expert compliance leadership
✅ Privacy Impact Assessments - Comprehensive privacy evaluations
✅ Staff Privacy Training - Regular education on Canadian privacy laws
✅ Breach Notification Procedures - "As soon as feasible" notification protocols
PIPEDA PRINCIPLES IMPLEMENTATION
1. Accountability
Privacy Governance Structure
Designated Privacy Officer responsible for PIPEDA compliance
Clear accountability for all personal information processing activities
Comprehensive privacy policies and procedures documented and maintained
Regular compliance monitoring and assessment programs
Organizational Commitment
Board-level commitment to privacy protection and PIPEDA compliance
Privacy-by-design principles integrated into all business processes
Regular privacy training for all staff members
Clear privacy responsibilities defined for all roles
2. Identifying Purposes
Clear Purpose Limitation We process personal health information solely for:
Healthcare Communication: Answering patient calls and managing messages
Appointment Management: Scheduling, confirming, and reminder services
Administrative Support: Analytics and reporting for healthcare providers
Service Improvement: Using de-identified data only for AI enhancement
Purpose Documentation
All processing purposes clearly documented in Data Processing Agreements
No processing for purposes other than those specified and agreed upon
Regular review and update of processing purposes as services evolve
Clear communication of purposes to individuals through healthcare providers
3. Consent
Consent Management
Healthcare providers obtain and manage consent on behalf of patients
Clear consent disclosure about our role as Data Processor
Respect for consent limitations and withdrawal requests
Documentation of consent basis for all processing activities
Consent Requirements Met
Meaningful consent - Individuals understand what they're consenting to
Informed consent - Clear information about processing purposes and risks
Voluntary consent - No negative consequences for withholding consent
Ongoing consent - Regular review and renewal of consent where required
4. Limiting Collection
Data Minimization Principles
Collection limited to information necessary for identified purposes
No collection of sensitive information beyond what's required for service delivery
Regular review of data collection practices to ensure continued necessity
Clear boundaries on what information we will and will not collect
Collection Limitations We DO collect:
Contact information (names, phone numbers, email addresses)
Appointment scheduling data and preferences
General communication records and call logs
Technical data necessary for service delivery
We DO NOT collect:
Detailed medical records or clinical notes
Diagnostic information or test results
Financial or insurance information
Unnecessary personal or demographic information
5. Limiting Use, Disclosure, and Retention
Use Limitations
Personal information used only for purposes identified at collection
No use for marketing, advertising, or commercial purposes beyond service delivery
No combination of patient data across different healthcare providers
Clear restrictions on staff access based on job responsibilities
Disclosure Limitations
Disclosure only to authorized healthcare provider staff and approved subprocessors
No disclosure to third parties without appropriate legal authority
Clear documentation of all disclosures and recipients
Subprocessor agreements ensuring equivalent privacy protection
Retention Limitations
Active relationships: Information retained only as long as necessary for service delivery
Communication records: Deleted after 90 days unless otherwise required
Terminated relationships: All information deleted within 30 days
Legal requirements: Retention extended only when required by law
6. Accuracy
Data Accuracy Measures
Regular verification of personal information accuracy with healthcare providers
Prompt correction of inaccurate information upon notification
Quality control measures to prevent data entry errors
Clear procedures for individuals to request corrections through healthcare providers
Accuracy Maintenance
Automated data validation and verification processes
Regular data quality audits and assessments
Staff training on accurate data handling and entry procedures
Documentation of all corrections and updates to personal information
7. Safeguards
Comprehensive Protection Measures
Administrative, technical, and physical safeguards appropriate to sensitivity of information
Multi-layered security architecture with redundant protection systems
Regular security assessments and vulnerability testing
Incident response procedures for security breaches and privacy incidents
Security Implementation
Encryption: AES-256 for data at rest, TLS 1.3 for data in transit
Access Controls: Multi-factor authentication and role-based permissions
Monitoring: 24/7 security monitoring and automated threat detection
Training: Regular security awareness training for all staff
8. Openness
Transparency Measures
Comprehensive privacy policy available on our website
Clear information about our privacy practices provided to healthcare providers
Regular communication about privacy policy updates and changes
Open communication channels for privacy questions and concerns
Information Availability
Privacy Officer contact information readily available
Clear procedures for accessing privacy-related information
Regular privacy policy reviews and updates
Proactive communication about significant privacy practice changes
9. Individual Access
Access Rights Support
Assistance to healthcare providers in fulfilling individual access requests
Provision of personal information in accessible formats
Response to access requests within 30 days as required by PIPEDA
Clear documentation of all access requests and responses
Access Procedures
Secure identity verification procedures for access requests
Coordination with healthcare providers to manage access requests
Provision of information in requested format where technically feasible
Clear explanation of any limitations on access rights
10. Challenging Compliance
Complaint Handling
Clear procedures for receiving and responding to privacy complaints
Investigation of privacy concerns and implementation of corrective measures
Cooperation with Privacy Commissioner investigations and inquiries
Documentation of all complaints and resolution measures
Continuous Improvement
Regular review of privacy practices based on feedback and complaints
Implementation of privacy enhancements based on lessons learned
Proactive identification and resolution of privacy risks
Ongoing monitoring of regulatory developments and best practices
PROVINCIAL HEALTH PRIVACY COMPLIANCE
Ontario - Personal Health Information Protection Act (PHIPA)
Health Information Custodian Support
Recognition of healthcare providers as Health Information Custodians
Operation as "agent" of Health Information Custodians where applicable
Compliance with PHIPA requirements for agent relationships
Support for custodian obligations under PHIPA
PHIPA-Specific Requirements
Circle of care communications support for healthcare providers
Consent management aligned with PHIPA consent requirements
Individual rights support including access and correction procedures
Breach notification to Information and Privacy Commissioner of Ontario
Key PHIPA Protections
Enhanced protection for mental health information
Special consent requirements for secondary uses of health information
Mandatory reporting of privacy breaches to provincial authorities
Additional security requirements for electronic health information
Alberta - Health Information Act (HIA)
Health Information Custodian Partnership
Support for Health Information Custodians in meeting HIA obligations
Compliance with information management requirements under HIA
Alignment with Alberta's health information sharing frameworks
Support for custodian accountability under provincial legislation
HIA-Specific Requirements
Express consent requirements for certain health information uses
Network agreements support for multi-custodian information sharing
Individual access rights under Alberta's health information framework
Privacy Commissioner notification for significant privacy incidents
Alberta Privacy Protections
Enhanced requirements for health information security
Specific provisions for electronic health information systems
Mandatory privacy impact assessments for new health information initiatives
Additional oversight by Alberta's Information and Privacy Commissioner
British Columbia - Personal Information Protection Act (PIPA) and E-Health Act
BC Privacy Compliance
Compliance with BC's Personal Information Protection Act for private sector organizations
Alignment with E-Health Act requirements for electronic health records
Support for healthcare providers' privacy obligations under BC legislation
Integration with BC's health information sharing frameworks
BC-Specific Requirements
Notification requirements for cross-border disclosure of personal information
E-health compliance for electronic health record systems
Privacy breach notification to BC's Information and Privacy Commissioner
Individual rights support under BC's privacy legislation
E-Health Act Compliance
Technical standards compliance for electronic health information systems
Security requirements for electronic health records and communications
Privacy protection measures for patient health information
Integration with BC's provincial health information infrastructure
Other Provincial Jurisdictions
Manitoba, Saskatchewan, Nova Scotia, New Brunswick
Compliance monitoring for emerging provincial health privacy legislation
Adaptation of privacy practices to meet provincial requirements
Coordination with provincial health authorities and privacy commissioners
Support for healthcare providers operating in multiple jurisdictions
CROSS-BORDER DATA TRANSFERS
PIPEDA Cross-Border Provisions
Disclosure Outside Canada Under PIPEDA Section 4.1.3, we disclose personal information outside Canada to:
United States - Amazon Web Services (AWS)
Purpose: Cloud infrastructure and data hosting services
Safeguards: Standard Contractual Clauses, comprehensive Data Processing Agreement
Data Types: All categories of personal health information
Protection Level: Comparable to Canadian privacy protection standards
United States - Twilio
Purpose: Communications platform for phone and messaging services
Safeguards: Data Processing Agreement with privacy provisions
Data Types: Contact information and communication records
Protection Level: Contractual privacy protections equivalent to Canadian standards
Individual Notification
Transparency Requirements
Clear disclosure of cross-border transfers in privacy policies
Notification through healthcare providers about international processing
Information about safeguards and protection measures for transferred data
Individual rights and recourse options for cross-border processing
Consent and Control
Meaningful choice about cross-border processing where legally possible
Clear information about countries where personal information may be processed
Options for data residency preferences where technically feasible
Withdrawal rights and impact on service delivery clearly explained
Safeguards for Cross-Border Transfers
Contractual Protections
Standard Contractual Clauses with all international service providers
Comprehensive Data Processing Agreements ensuring equivalent protection
Regular compliance monitoring and audit rights for international transfers
Breach notification requirements covering cross-border processing
Technical Protections
End-to-end encryption for all international data transfers
Secure transmission protocols and authentication mechanisms
Geographic controls and data residency options where possible
Regular security assessments of international processing arrangements
PRIVACY BREACH MANAGEMENT
Breach Notification Timeline
PIPEDA Requirements - "As Soon As Feasible"
Immediate assessment (0-2 hours): Initial incident containment and scope assessment
Healthcare provider notification (within 24 hours): Preliminary breach notification
Privacy Commissioner notification (within 72 hours): When required by risk of significant harm
Individual notification (coordinated with healthcare provider): When risk of significant harm exists
Provincial Requirements
Ontario (PHIPA): Notification to Information and Privacy Commissioner of Ontario
Alberta (HIA): Notification to Alberta Information and Privacy Commissioner
BC (PIPA): Notification to BC Information and Privacy Commissioner
Risk of Significant Harm Assessment
Assessment Criteria We assess risk of significant harm based on:
Sensitivity of information: Health information generally considered high sensitivity
Circumstances of breach: Nature of unauthorized access or disclosure
Number of individuals affected: Scale and scope of potential impact
Likelihood of misuse: Probability that information will be used for harmful purposes
Response Measures
Immediate containment and mitigation of ongoing harm
Comprehensive investigation and root cause analysis
Implementation of corrective measures to prevent recurrence
Coordination with healthcare providers on individual notification
Breach Prevention
Proactive Privacy Protection
Privacy by design principles integrated into all systems and processes
Regular privacy impact assessments for new initiatives and system changes
Continuous monitoring for privacy risks and emerging threats
Comprehensive staff training on privacy protection and incident prevention
INDIVIDUAL RIGHTS UNDER CANADIAN PRIVACY LAW
Access Rights
PIPEDA Access Rights (Section 4.9) Individuals have the right to:
Access personal information: Request access to personal information held about them
Information about use: Understand how their personal information is being used
Source disclosure: Know the source of personal information where applicable
Disclosure history: Information about to whom personal information has been disclosed
Our Access Support Process
Requests processed through healthcare providers as Data Controllers
Response within 30 days as required by PIPEDA
Information provided in accessible format requested by individual
Complete audit trail of access requests and responses maintained
Correction Rights
Accuracy and Correction Individuals have the right to:
Challenge accuracy: Question the accuracy of personal information
Request corrections: Ask for correction of inaccurate information
Notation of disputes: Have unresolved accuracy disputes noted in records
Notification of corrections: Ensure corrections are shared with relevant parties
Our Correction Process
Correction requests processed through healthcare providers
Updates implemented within 30 days of authorized correction request
Documentation of all corrections with audit trail maintained
Notification to relevant subprocessors and service providers
Withdrawal of Consent
Consent Withdrawal Rights Individuals may:
Withdraw consent for specific uses of personal informationLimit processing to essential service delivery functions onlyRequest cessation of non-essential communications and processingUnderstand implications of consent withdrawal on service delivery
Withdrawal Process
Withdrawal requests processed through healthcare providers
Immediate cessation of affected processing activities
Data deletion within 30 days where consent withdrawal requires deletion
Clear communication about impact on service delivery
PRIVACY COMMISSIONER COOPERATION
Federal Privacy Commissioner
Office of the Privacy Commissioner of Canada
Contact: 1-800-282-1376 or [email protected] process: Individual complaints about privacy practices
Investigation cooperation: Full cooperation with Commissioner investigations
Compliance monitoring: Regular reporting on privacy compliance measures
Our Cooperation Commitment
Prompt response to Privacy Commissioner inquiries and investigations
Full documentation and cooperation during complaint investigations
Implementation of Commissioner recommendations for privacy enhancements
Proactive communication about significant privacy initiatives or changes
Provincial Privacy Commissioners
Information and Privacy Commissioner of Ontario
Contact: 1-800-387-0073 or [email protected]
PHIPA oversight: Complaints and investigations under health privacy legislation
Breach notification: Mandatory reporting of privacy breaches involving health information
Information and Privacy Commissioner of Alberta
Contact: 1-888-878-4044 or [email protected]
HIA oversight: Compliance monitoring and investigation under Health Information Act
Privacy impact assessments: Review of significant health information initiatives
Information and Privacy Commissioner for British Columbia
Contact: 1-800-663-7867 or [email protected]
PIPA oversight: Private sector privacy compliance and complaint investigation
E-Health compliance: Oversight of electronic health information systems
DATA PROCESSING AGREEMENT (DPA)
DPA Requirements
Mandatory Execution
DPA must be signed before any personal information processing begins
Comprehensive terms covering all PIPEDA requirements and provincial obligations
Clear definitions of processing purposes, data categories, and retention periods
Specific privacy and security obligations aligned with Canadian law
Key DPA Provisions
Processing limitations: Personal information processed only for specified purposes
Safeguards: Technical, administrative, and physical protection measures
Subprocessor management: Required agreements with all subprocessors
Individual rights: Support for access, correction, and complaint procedures
Breach notification: 24-hour notification for privacy incidents
Data return/destruction: Within 30 days of relationship termination
Cross-Border Transfer Provisions
Explicit Disclosure Requirements
Clear identification of all countries where personal information may be processed
Detailed description of safeguards for international transfers
Individual notification requirements through healthcare provider privacy notices
Options for data residency and geographic restrictions where possible
PRIVACY COMPLIANCE CONTACT
Privacy Officer
Name: Riley Abreo
Title: Privacy Officer
Email: [email protected]
Phone: 1-778-608-8265
Mailing Address: 2302-1277 Melville Street, Vancouver, BC, V6E 0A4
Privacy Inquiries
Privacy Questions: [email protected]
Compliance Issues: [email protected]
Breach Reporting: [email protected]
General Inquiries: [email protected]
Business Hours
Privacy Officer Availability
Monday - Friday: 9:00 AM - 5:00 PM Pacific Time
Emergency privacy incidents: 24/7 via [email protected]
Response time: Within 24 hours for urgent matters, 72 hours for routine inquiries
PIPEDA COMPLIANCE CHECKLIST
For Healthcare Providers
Before using MyMedPro.io services:
[ ] Data Processing Agreement signed and executed
[ ] Privacy impact assessment completed for Data Processor relationship
[ ] Privacy notice updated to include cross-border transfer disclosure
[ ] Consent procedures verified for service delivery and data processing
[ ] Individual rights procedures coordinated with MyMedPro.io
[ ] Breach notification procedures established and tested
[ ] Provincial compliance verified (PHIPA, HIA, PIPA as applicable)
[ ] Staff training completed on Data Processor oversight responsibilities
Ongoing Compliance
[ ] Annual privacy assessment of Data Processor relationship completed
[ ] Privacy incident reporting procedures active and tested
[ ] Individual rights requests coordination established and functioning
[ ] Cross-border transfer monitoring and documentation maintained
[ ] Regulatory updates monitored and compliance verified
[ ] Privacy training updated annually for all relevant staff
Questions about PIPEDA compliance?
Contact our Privacy Officer at [email protected] or 1-778-608-8265Privacy Commissioner Resources:
Federal: Office of the Privacy Commissioner of Canada (priv.gc.ca)
Ontario: Information and Privacy Commissioner of Ontario (ipc.on.ca)
Alberta: Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca)
BC: Office of the Information and Privacy Commissioner for BC (oipc.bc.ca)
Last Updated: May 17, 2025
Next Review: December 17, 2025