PRIVACY POLICY
Framework Consulting Corp. d/b/a MyMedPro.io
Effective Date: June 17, 2025
Framework Consulting Corp., doing business as MyMedPro.io ("we," "us," "our," "Company"), is committed to protecting your privacy and personal information in accordance with applicable privacy laws, including:
United States: Health Insurance Portability and Accountability Act (HIPAA)
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA
)Provincial Laws: Including but not limited to BC PIPA, Ontario PHIPA, and Alberta HIA
This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our AI-powered healthcare communication services.
1. WHO WE ARE
Legal Entity:
Framework Consulting Corp.
Business Name:
MyMedPro.io
Business Address:
2302-1277 Melville Street, Vancouver, BC, V6E 0A4
Privacy Officer:
Riley Abreo
Contact:
[email protected]
Phone:
1-778-608-8265
1.1 Our Role in Privacy Protection
For US Healthcare Providers:
We operate as a Business Associate under HIPAA, processing Protected Health Information (PHI) on behalf of Covered Entities.
For Canadian Healthcare Providers:
We operate as a Data Processor under PIPEDA and provincial health privacy laws, processing personal health information on behalf of healthcare providers (Data Controllers).
2. INFORMATION WE COLLECT
2.1 From Healthcare Providers (Our Direct Clients)
Business Information:
Practice name, address, and contact details
Healthcare provider licensing information
Staff contact information and access credentials
Billing and payment information
Service preferences and configuration settings
Account Management Data:
Login credentials and authentication information
Usage statistics and service analytics
Support communications and service requests
Training and onboarding records
2.2 Patient Information (Processed on Behalf of Healthcare Providers)
Contact Information:
Full names and preferred names
Phone numbers (mobile and landline)
Email addresses
Mailing addresses (when provided)
Healthcare Communication Data:
Appointment dates, times, and locations
General reason for visit or service type
Communication preferences (phone, text, email)
Call logs and message records
Appointment confirmation and reminder responses
Technical Data:
IP addresses (for security and service delivery)
Device information and browser type
Call quality metrics and connection data
System access logs and security event data
2.3 Information We Do NOT Collect
We do not collect:
Detailed medical records or clinical notes
Diagnostic information or test results
Treatment plans or medical advice
Insurance information (except when necessary for appointment scheduling)
Payment information from patients (only from healthcare providers)
3. HOW WE USE PERSONAL INFORMATION
3.1 Primary Service Purposes
We use personal information solely to provide our healthcare communication services:
Call Management:
Answering patient calls during business hours and after hours
Taking accurate messages and routing to appropriate staff
Handling general inquiries about practice information
Providing basic appointment scheduling assistance
Appointment Services:
Scheduling new appointments and consultations
Confirming upcoming appointments
Sending appointment reminders via phone, text, or email
Managing appointment changes and cancellations
Following up on missed appointments
Patient Communication:
Sending appointment confirmations and reminders
Providing practice updates and important notices
Handling routine patient inquiries
Facilitating communication between patients and healthcare providers
Analytics and Reporting:
Providing call volume and communication analytics to healthcare providers
Generating reports on appointment scheduling efficiency
Analyzing communication patterns to improve service quality
Creating de-identified performance metrics
3.2 Service Improvement and Development
Using De-identified Data Only:
Improving AI algorithms and natural language processing
Enhancing call routing and message handling capabilities
Developing new features and service offerings
Training AI models for better patient communication
Important:
We only use de-identified, aggregated data for service improvement. Individual patient information is never used for AI training or development purposes.
3.3 Legal and Compliance Purposes
Complying with healthcare and privacy law requirements
Responding to legal requests and court orders
Protecting against fraud and security threats
Maintaining audit logs for compliance purposes
Investigating and responding to privacy incidents
4. DATA SHARING AND DISCLOSURE
4.1 Healthcare Provider Access
Your Healthcare Provider Has Access To:
All communication records related to your care
Appointment scheduling data and preferences
Message logs and call summaries
Analytics about practice communication patterns
Healthcare Provider Responsibilities:
Your healthcare provider is responsible for:
Obtaining your consent for our services
Maintaining their own privacy notices
Ensuring compliance with applicable privacy laws
Managing your healthcare information appropriately
4.2 Authorized Service Providers (Subprocessors)
We work with carefully selected service providers who help us deliver our services:
Amazon Web Services (AWS)
Service: Cloud hosting and infrastructure
Data Access: All categories of information listed above
Location: United States and Canada
Safeguards: Business Associate Agreement, encryption, access controls
Twilio
Service: Phone and messaging communications
Data Access: Contact information and communication records
Location: United States
Safeguards: Data Processing Agreement, secure APIs, limited access
Stripe
Service: Payment processing (healthcare provider billing only)
Data Access: Healthcare provider billing information only
Location: United States
Safeguards: PCI DSS compliance, encryption, secure processing
Important:
All service providers are required to:
Sign comprehensive data protection agreements
Implement appropriate security measures
Use information only for specified service purposes
Comply with applicable privacy laws
4.3 Legal Disclosures
We may disclose personal information when required by law:
In response to valid court orders or subpoenas
To comply with regulatory investigations
To report suspected abuse or neglect as required by law
To protect against imminent threats to health or safety
For national security or law enforcement purposes when legally required
4.4 What We Do NOT Do
We never:
Sell personal information to third parties
Use personal information for marketing or advertising
Share information with unauthorized parties
Combine patient data across different healthcare providers
Use patient information for our own business development
5. CROSS-BORDER DATA TRANSFERS
5.1 International Processing Disclosure
Important Notice:
Personal information may be processed outside your home country:
Primary Storage Locations:
Canada (preferred for Canadian clients)
United States (through AWS infrastructure)
Processing Locations:
United States (AI processing, communications infrastructure)
Canada (primary data storage and customer support)
5.2 Safeguards for Cross-Border Transfers
For Transfers to the United States:
Standard Contractual Clauses with service providers
Business Associate Agreements under HIPAA
Encryption of all data in transit and at rest
Regular security audits and compliance monitoring
For Canadian Data:
Compliance with PIPEDA cross-border provisions
Notification in healthcare provider agreements
Individual notification through this Privacy Policy
Comparable protection standards maintained
5.3 Data Residency Options
Healthcare providers may request:
Canadian data residency for sensitive information
Specific geographic restrictions on data processing
Custom data handling arrangements for enhanced security
6. DATA RETENTION AND DESTRUCTION
6.1 Retention Periods
Active Healthcare Provider Relationships:
Patient communication records: 90 days after last contact
Appointment scheduling data: Duration of healthcare provider relationship
System logs and security data: 2 years minimum
Analytics and reporting data: 3 years or as agreed with healthcare provider
Terminated Healthcare Provider Relationships:
All patient information: Deleted within 30 days of termination
Backup copies: Destroyed within 90 days of termination
System logs (de-identified): May be retained for security purposes
Billing records: 7 years as required by tax laws
6.2 Secure Destruction Methods
Electronic Data:
NIST 800-88 compliant data destruction
Cryptographic erasure for encrypted information
Multiple-pass overwriting for sensitive data
Verification and certification of destruction
Physical Media:
Cross-cut shredding for paper documents
Physical destruction of storage devices
Witnessed destruction with certificates
Secure disposal through certified vendors
6.3 Legal Holds and Exceptions
Data retention may be extended when:
Required by legal proceedings or investigations
Necessary for regulatory compliance
Requested by healthcare providers for specific purposes
Required for security incident investigation
7. SECURITY MEASURES
7.1 Technical Safeguards
Encryption:
AES-256 encryption for all data at rest
TLS 1.3 encryption for all data in transit
End-to-end encryption for voice communications
Encrypted backup and disaster recovery systems
Access Controls:
Multi-factor authentication for all system access
Role-based access controls with least privilege principle
Regular access reviews and permission updates
Automated session timeouts and access logging
Network Security:
Web Application Firewall (WAF) protection
Intrusion detection and prevention systems
DDoS protection and network monitoring
Regular vulnerability scanning and penetration testing
7.2 Administrative Safeguards
Staff Training and Management:
Comprehensive privacy and security training for all employees
Background checks for personnel with access to personal information
Confidentiality agreements and privacy commitments
Regular training updates and competency assessments
Policies and Procedures:
Comprehensive privacy and security policies
Incident response and breach notification procedures
Vendor management and third-party oversight
Regular policy reviews and updates
Compliance Monitoring:
Continuous compliance monitoring and auditing
Regular risk assessments and security evaluations
Internal and external security audits
Compliance reporting and documentation
7.3 Physical Safeguards
Data Center Security:
SOC 2 certified facilities with 24/7 monitoring
Biometric access controls and security cameras
Environmental controls and fire suppression systems
Redundant power and network connectivity
Workplace Security:
Secure office environments with access controls
Clean desk policies and secure document storage
Visitor management and escort procedures
Secure disposal of confidential materials
8. YOUR PRIVACY RIGHTS
8.1 Access Rights
You have the right to:
Request access to your personal information that we process
Receive a copy of your information in a readable format
Understand how your information is being used
Know who has access to your information
How to Exercise:
Contact your healthcare provider or email [email protected]
8.2 Correction Rights
You have the right to:
Request correction of inaccurate personal information
Update your contact preferences and information
Clarify or amend incomplete records
How to Exercise:
Contact your healthcare provider directly or email [email protected]
8.3 Consent and Withdrawal
You have the right to:
Understand what you're consenting to when your healthcare provider uses our services
Withdraw consent for specific uses of your information
Opt-out of appointment reminders or specific communication methods
Important:
Withdrawing consent may affect your healthcare provider's ability to communicate with you effectively.
8.4 Complaint Rights
You have the right to:
File a complaint about our privacy practices
Contact privacy regulators if you believe your rights have been violated
Receive a response to your privacy concerns
Privacy Regulators:
Canada: Privacy Commissioner of Canada (1-800-282-1376)
US: HHS Office for Civil Rights (1-800-368-1019)
Provincial: Your provincial privacy commissioner
9. BREACH NOTIFICATION
9.1 Our Commitments
In the event of a privacy breach involving your personal information:
Immediate Response:
Contain the breach and assess the scope of impact
Investigate the cause and implement corrective measures
Document all aspects of the incident and response
Notification Timeline:
Healthcare Providers: Notified within 24 hours of discovery
Individuals: Notified through healthcare provider "as soon as feasible"
Regulators: Notified as required by applicable laws (HIPAA: 60 days, PIPEDA: as soon as feasible)
9.2 What We'll Tell You
Breach notifications will include:
Description of what happened and when
Types of information involved
Steps we've taken to address the breach
What you can do to protect yourself
How to contact us for more information
9.3 Prevention Measures
We work continuously to prevent breaches through:
Regular security training and awareness programs
Ongoing monitoring and threat detection
Regular security audits and vulnerability assessments
Incident response planning and testing
10. CONSENT AND LEGAL BASIS
10.1 Consent for Service Delivery
Your healthcare provider obtains consent on our behalf for:
Processing your personal information to provide communication services
Storing your information in our secure systems
Cross-border transfer of information to our service providers
Using de-identified information for service improvement
10.2 Legal Basis for Processing
We process personal information based on:
Consent: As obtained by your healthcare provider
Legitimate Interest: For security, fraud prevention, and service improvement
Legal Obligation: To comply with healthcare and privacy laws
Contractual Necessity: To provide services to healthcare providers
10.3 Special Categories of Data
Health Information Processing:
Health information receives special protection under privacy laws. We process health information only:
With appropriate consent as obtained by your healthcare provider
For the specific purposes outlined in this policy
With enhanced security measures and access controls
In compliance with applicable health privacy laws
11. CHILDREN'S PRIVACY
11.1 Minors' Information
We may process information about minors (under 18) when:
Their healthcare provider uses our services
A parent or guardian has provided appropriate consent
Processing is necessary for healthcare communication purposes
11.2 Special Protections
For minors' information, we implement:
Enhanced security and access controls
Limited retention periods
Additional consent verification requirements
Careful handling of sensitive information
11.3 Parental Rights
Parents and guardians have the right to:
Access their child's communication records
Request corrections to inaccurate information
Control communication preferences and methods
Withdraw consent where legally permissible
12. UPDATES TO THIS POLICY
12.1 Policy Changes
We may update this Privacy Policy to:
Reflect changes in our services or business practices
Comply with new or updated privacy laws
Improve clarity and transparency
Address new privacy risks or technologies
12.2 Notification of Changes
We will notify you of material changes by:
Posting the updated policy on our website
Sending email notification to healthcare providers
Providing 30 days' advance notice of significant changes
Highlighting key changes in our communications
12.3 Your Options
If you disagree with policy changes:
Contact your healthcare provider to discuss alternatives
Withdraw consent for specific processing activities
File a complaint with privacy regulators
Contact us directly to discuss your concerns
13. CONTACT INFORMATION
13.1 Privacy Officer
Name:
Riley Abreo
Title:
Privacy Officer
Email:
[email protected]
Phone:
1-778-608-8265
Mailing Address:
2302-1277 Melville Street, Vancouver, BC, V6E 0A4
13.2 General Inquiries
Privacy Questions:
[email protected]
Security Concerns:
[email protected]
General Support:
[email protected]
Legal Questions:
[email protected]
13.3 Business Hours
Privacy Officer Availability:
Monday - Friday: 9:00 AM - 5:00 PM Pacific Time
Emergency privacy issues: 24/7 via [email protected]
Response time: Within 24 hours for urgent matters, 72 hours for routine inquiries
14. REGULATORY COMPLIANCE STATEMENTS
14.1 HIPAA Compliance (US)
This Privacy Policy and our privacy practices comply with the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164). We operate as a Business Associate and maintain all required safeguards for Protected Health Information.
14.2 PIPEDA Compliance (Canada)
Our privacy practices comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and incorporate the principles of:
Accountability, identifying purposes, and consent
Limiting collection, use, disclosure, and retention
Accuracy, safeguards, and openness
Individual access and challenging compliance
14.3 Provincial Compliance
Ontario (PHIPA):
We comply with the Personal Health Information Protection Act and operate as an agent of healthcare information custodians.
Alberta (HIA):
We comply with the Health Information Act and maintain appropriate agreements with health information custodians.
British Columbia:
We comply with the Personal Information Protection Act and E-Health Act requirements.
Last Updated:
May 17, 2025
Version:
1.1
Next Review Date:
December 17, 2025
For questions about this Privacy Policy or our privacy practices, please contact our Privacy Officer at [email protected] or 1-778-608-8265.