Medeo

MEDEO SOLUTION USER PRIVACY POLICY

Introduction

QHR Technologies Inc. is a healthcare technology company that provides services for both healthcare providers and patients across Canada through several software applications (the “Solutions”).

At QHR Technologies Inc. (“QHR”, “we” and/or “our”), we understand the responsibility that comes along with providing healthcare technology and so have built in privacy protections with our users in mind. We have developed this Privacy Policy (the “Policy”) to help explain the privacy features of our Solutions as well as the websites we operate including: www.qhrtechnologies.com, https://medeohealth.com/, https://accuroemr.com/, and https://freedomrx.health/ (the “ Sites”).

This Policy describes how we help healthcare professionals manage and protect the privacy of personal information through the Solutions. The Policy also describes how we collect, use, disclose and protect your personal information when you interact or use the Sites, and/or if you use any of our products, applications (including the Solutions), or any other services made available through or in relation to the Sites and the Solutions (the “Services”).

Contents

Introduction
Accountability
What is Personal Information and Personal Health Information?
What Solutions Does QHR Offer?
What Personal Information Do We Collect and Use and Why?
Personal Information Collected by Healthcare Providers Using the Solutions
What Personal Information Does QHR Collect and Use in Providing the Services?
Getting Your Consent
How Do We Share Personal Information with Partners and Service Providers?
What Choices Do You Have About How We Use and Share Your Personal Information?
How Do We Secure Your Personal Information?
Where do we Store Data?
Data Retention
How Can You Correct and Access Your Personal Information?
Questions and Concerns
Changes to the Policy

Accountability

In adopting and adhering to this Policy, we assure you that the personal information we collect will be used in an appropriate and responsible manner. QHR is committed to protecting the privacy of all personal information which has been provided to us and we will manage personal information in accordance with applicable Canadian privacy legislation and any other applicable provincial or federal legislation.

This Policy applies to the personal information collected through the Services by QHR. This includes personal information collected, used, processed and disclosed through:

QHR’s Solutions
QHR’s Sites, as well as our social media, such as Facebook, Twitter, YouTube and LinkedIn
Correspondence from individuals about our Sites, the Solutions and/or the Services (including e-mails, messages sent to us through the Sites, telephone calls to our call centres)
Providing support for our Services
Online job applications

What is Personal Information and Personal Health Information?

In this Policy, “personal information” means information about an identifiable individual, including personal health information about that individual. “Personal health information” means identifying information that relates to an individual’s health, including diagnostic, treatment and care information, and information like the individual’s personal health number.

What Solutions Does QHR Offer?

QHR provides software and hosting solutions to help enable healthcare professionals manage their practice, so individuals can better access healthcare, and for both to be able to access and share information with each other, including personal information. These include the following solutions:

AccuroEMR : AccuroEMR is an Electronic Medical Records solution that helps healthcare providers manage and optimize their practice by digitizing patient information and streamlining day to day tasks. The core application includes both a complete desktop version and a companion mobile app, ACCUROgo, which lets users remotely access key features of the EMR. Additional patient management modules are available for AccuroEMR, such as video conferencing, patient messaging, online booking, and e-prescribing.
Medeo : Medeo is an online booking and telemedicine solution that lets patients connect with their healthcare providers. Using Medeo, patients can book appointments online, have virtual appointments by video, and securely share messages, files, and photos with their doctor.
FreedomRx: FreedomRx is an ePrescribing and communications solution that connects participating healthcare providers and pharmacists. It streamlines prescription intake and enables communication with between pharmacies and prescribers.

The personal information collected, used and disclosed through these Solutions is typically managed by healthcare professionals and their staff in the course of providing health care services to patients, or it may be provided directly by an individual in the course of using the Solution. In these circumstances, we will be assisting the health care provider and/or individual by providing the software and data hosting to enable the health care provider and individual to use the Solution.

Some solutions or certain features are provided on the basis of a paid subscription. We engage specialized payment processing service providers to assist us as described in the Payment Processing section below.

What Personal Information Do We Collect and Use and Why?

QHR provides software solutions for healthcare providers and patients. In the course of using our Solutions, healthcare providers will collect, use and/or disclose personal information about their patients, including personal health information.

In the provision of our Solutions, QHR manages (and in some cases hosts) personal information on behalf of healthcare providers, who remain the custodians of that personal health information.

This Policy is not about the collection, use, and/or disclosure of personal information by healthcare providers. If you would like to know more about how your healthcare provider handles your personal information, you should ask them about their policies and practices. To learn more about the types of personal information which your healthcare provider may collect from you while using the Solutions, review the Personal Information Collected by Healthcare Providers Using the Solutions section below.

Personal Information Collected by Healthcare Providers Using the Solutions

QHR’s Solutions provide healthcare providers with a platform to collect, use, process, store, and disclose patients’ personal information. Below, we have described what types of personal information are collected by healthcare providers (including physicians, pharmacists and their administrative staff) using each solution.

Accuro EMR

AccuroEMR allows for the collection, use and disclosure of the following types of personal information by healthcare providers:

Name
Address
Contact information, including phone number and e-mail address
Demographic information, such as languages spoken, occupation, age, gender, and dependent information
Personal health number
Personal health information, including:
Visits to your healthcare provider (e.g. date of service, healthcare provider, visit type, visit reason, referring provider, payment information); and
Health information recorded by health care providers and their staff in the course of providing treatment (e.g. conditions, diagnoses, medications, diagnostic imaging, lab observations, immunizations, treatments, referrals, clinical observations, surgical history and consultations).

AccuroEMR includes several sub-applications, including Accuro Engage, ACCUROgo and Accuro Mobile.

Medeo

Medeo allows for the storage of the following types of personal information by users, and for the collection, use and disclosure of the following types of personal information by healthcare providers and caregivers:

Name and other demographic information
Appointment dates (for in clinic and virtual visits)
Medical conditions
Reason(s) for visit
Encounter notes
Prescription information
Lab requisitions
Care plans
Messages between healthcare providers and patients

Medeo includes an option to add premium features through a Medeo Plus subscription.

If the healthcare provider also has Accuro EMR, certain personal information can be shared between Accuro EMR and Medeo by the provider (e.g. appointment information and personal health information).

FreedomRx

FreedomRx allows for the collection, use and disclosure of the following types of personal information by health care providers and pharmacies:

Name
Address
Telephone number
Date of birth
Gender
Personal health number
Medication information
Health information such as allergies
Messages between prescribers and pharmacists
HealthMail Address
Identifying information about the healthcare provider and clinic

Your healthcare provider will share pertinent information with the pharmacy indicated by the healthcare provider or selected by you in the course of providing treatment. FreedomRx is being used by many independent pharmacies, Shoppers Drug Mart and Loblaw Pharmacies.

QHR also uses third party partners to provide additional functionality to our Solutions. See the section Partners in Providing Specialized Service below for a description of these partners and services.

What Personal Information Does QHR Collect and Use in Providing the Services?

QHR also collects personal information from and about individuals in a variety of ways, including: when it is provided directly; and when individuals interact with us and use the Sites, Solutions, and/or the Services.

We use personal information to provide our products, Services and Solutions, to manage our business relationship, to communicate offers and information, to measure the effectiveness our Services, including marketing and promotions about our Services, and as permitted or required by law.

Please review the sections below for further information:

Personal Information QHR Collects from Our Health Care Provider Clients
Personal Information You Provide to QHR
Information Provided by Your Healthcare Provider to QHR
Information Automatically Collected When Using the Websites, Social Media, or the Solutions
Business and Legal Uses of Personal Information by QHR

Personal Information QHR Collects from Our Healthcare Provider Clients

QHR collects certain personal information from our clients and their staff in the course of managing our business relationship. For example, we collect the names and authentication information of our clients’ staff so they have unique log in credentials to use the Solutions in accordance with our License and Services Agreements with clients. For user verification and security purposes, we also collect information like IP address and browser type for use in conjunction with authentication information. We also collect personal information about our clients’ staff when providing them with Services like training or support on our Solutions.

Personal Information You Provide to QHR

We collect information that you provide directly to QHR, over the telephone, by e-mail, as well as through the use of the Sites and the Solutions. This includes your contact information, account and profile information associated with the Solutions, limited personal health information, appointment information, feedback, ratings, reviews, job application information, social media information, and call centre information. Review the sections below to learn more about the purposes for collecting this information.

Contact information:

We collect your personal information when you contact QHR to directly to inquire about Sites, the Solutions, and/or the Services. For example, when you complete any of the contact or inquiry forms on our Sites, we will collect your name, phone number, e-mail address, city, province, postal code, and any other information that you choose to provide to us. When you send customer support a message on one of our Sites, we collect your name, e-mail address, phone number, and any other information that you choose to provide to us. When you report a problem, or submit questions, concerns or comments regarding the Solutions, we may also collect your name, e-mail address, phone number, and other information that you choose to provide to us.

We use your contact information to contact and correspond with you directly about our relationship, and your use of the Sites, Solutions and/or Services. We may contact you to inform you about our services in different ways including by mail, email, telephone, or other means to which you have agreed. We may use your contact information to provide you with information, quote, or services that you have requested, to respond to customer service requests, and where we have your consent to do so, to send you push notifications on your device through the Solutions.

Where permitted and we have your consent to do so, we may send you information about QHR’s services, including general updates and announcements, contests, promotions, seminars, workshops and events (see below for information on how to “opt-out” of receiving certain communications from us).

Account and profile information:

QHR collects personal information from patients when they register for an account with Medeo, typically after downloading the application, and when patients create or modify their account or user profile. This includes information such as:

Name
Address
Birthdate
E-mail address
Phone number
Username and password

We use your account and profile information to set up provide you with access to the Solutions and/or Services, to create and set up your account and user profile, and to administer your use of the Sites, Solutions and/or Services. We also use your account and profile information to connect you with a healthcare provider or patient, as applicable.

Feedback, Ratings and Reviews:

We collect the information you include in any feedback you provide to QHR through the Sites, Solutions, or when you e-mail or call our customer service. We use feedback, rating and review information to improve the Sites, Solutions, and/or Services, including to administer and resolve technical issues on the Sites or Solutions. We may also use this information to investigate and address your concerns. In addition, we may use this information to suspend or deactivate the user accounts, and to assist in training our employees and service providers.

Job application information:

We use a third-party service provider, ADP, to host the online careers page on the QHR website, and to manage job applications submitted through the website. In order to apply for a position listed on our careers page, you will be redirected to ADP’s website where you can submit an application for the posted position. As part of the application process, you will be asked to submit personal information such as your name, e-mail address, mailing address, phone number, and resume. This personal information is collected directly by ADP on behalf of QHR. We use this information to evaluate an applicant’s eligibility and suitability for employment with QHR. To learn more about ADP’s privacy practices, please see its privacy policy for client employees at https://privacy.adp.com/privacy.html?locale=en_CA .

Social media information:

When you visit one of our social media sites (e.g. LinkedIn, Facebook, YouTube, Twitter), we may collect personal information that you choose to submit to us such as your name, contact information, or any other information you choose to provide. We use this information for the purpose of responding to an enquiry you have made to us through social media.

Call centre information:

When you call one of our call centres (e.g. to request customer support for one of our Solutions or to request a quote), those telephone calls may be recorded and we may collect personal information that you may provide during those calls, such as your name, telephone number, and e-mail address. We use this information for the purposes of providing you with any information that you request (e.g. a quote) and for providing you with customer support for our Solutions

Other information:

We collect any other personal information that you submit directly to QHR on a voluntary basis. For example, we will collect and use information like name, clinic name, address, phone number, email and products of interest when you enter a contest or promotion.

Information Provided by Your Healthcare Provider to QHR

Generally, QHR will collect personal information directly from the person to whom the personal information relates. However, given the nature of the Solutions, QHR will sometimes receive personal information about you from your healthcare provider.

All users of our Solutions, including healthcare providers and their administrative staff, must have a unique login to access and use Accuro EMR, Medeo and FreedomRx. As a result, QHR clients will provide QHR with the certain identifying information to enable QHR to set up and manage accounts and user profiles for client staff to access and use the Solutions.

For Accuro EMR, this includes: Name, e-mail, phone number, college registration number, demographic information, and security/PIN information.
For Medeo, this includes; Name, e-mail, phone number, occupation and specialization, and password.
For FreedomRx, this includes: name, username and e-mail.

To set up a healthcare provider with Accuro EMR, the healthcare provider may provide QHR with a copy of their patient database to be imported into the Accuro EMR solution. This will include all personal information in their patient files which the provider wants to digitize in the solution. When setting up pharmacies with FreedomRX, the pharmacy will provide QHR with the names of pharmacists and their email addresses.

QHR may also receive personal information about you from a client when a client initiates a request for service or support. To provide this service, we may require access to an electronic file or data set, which may include your personal information.

If you have concerns about personal information that has been provided to QHR by your employer or your healthcare provider, you should address that concern directly with your employer/healthcare provider. QHR will reasonably assist its clients in answering questions that individual users may have about their accounts.

Information Automatically Collected When Using the Websites, Social Media, or the Solutions

QHR uses various technologies which automatically collect certain information. These technologies include cookies and analytics technology. The information we collect includes device, technical and usage information, geolocation information, and video call and messaging information. Please review the sections below to learn more about each type of automatic collection of information by QHR.

Device, technical and usage information:

We collect your IP address, web browser type, and operating system when accessing our Sites and Solutions. We also collect information about the sections of the Sites and Solutions that you visit, the date and time of your use of the Sites and Solutions, your in-media time, your actions within the Sites and Solutions, crashes and other system activity on the Sites and Solutions, and certain content that you download from the Sites and Solutions. We use device information to understand traffic and activity on the Sites and the Solutions, to audit use of the Solutions for licensing purposes as well as for license modeling, to enable us to improve the Sites, the Solutions and/or the Services, to understand what drives traffic to our Sites, to understand interest in our Services, and to tailor our marketing. For example, this information helps us understand whether a Solution is compatible with your mobile device. QHR also reviews Solution usage information to measure adoption, engagement, and improve the product and services.

Video visits:

To facilitate video visits through Medeo, we use third party service providers, for services such as STUN and TURN to facilitate video calls between healthcare providers and patients who are using Medeo. The third-party service provider may collect personal information about these calls, including the date and time of the call and customer IP addresses to facilitate the video visit. The contents of video streams cannot be viewed by our third-party service providers.

Messaging:

Messaging though Medeo is facilitated by embedded communication APIs, such as Twilio for SMS and SendGrid for email. Messaging through HealthMail is all conducted through our Solutions directly.

Web analytics:

We want to learn more about how our customers and prospects interact with our Sites and Services so we can improve existing products and services, develop new products, services, programs, promotions, contests or events, and better understand how to communicate with you. Personal health information is not shared for web analytics or marketing purposes .

Cookies and Analytics:

QHR uses third party analytics tools, such as Google Analytics and Pardot. These analytics services track certain activities on our Site by setting cookies in your browser. Cookies remember preferences when a visitor returns to the Site. They can also be used for logged-in users to maintain the session and remember the user. These cookies don’t collect personally identifying information, only a unique identifier. Google analytics uses cookies to track certain usage information on the Sites, to create reports for QHR about activities of viewers. Such information may include aggregated information about the devices, networks, general geolocation, page visits, duration of visits and click through information of visitors to our Site and Solutions. This data is used for aggregate reporting purposes. To learn more about Google’s privacy practices, including how you can view and edit your preferences, please see the Google Privacy Policy.

Visitor preferences:

If you have provided your contact information on one of the sign-up forms on our Sites, or have been added to our Salesforce database, analytics services like Pardot will connect your activity on our Sites with your account in our Salesforce database. Visitors to the Sites will receive a message that asks them to opt in on their first visit. The message doesn’t appear again unless you clear your cookies. You may opt out of tracking, in which case Pardot treats the session as if cookies are disabled. You may opt-out at any time by clearing your cookies, which will cause the opt-in message to reappear when you visit the Site, allowing you to opt-out. Visitors who do not opt-in are treated as if they have opted out. In the event you opt-in, Pardot will set cookies on your browser which will remember preferences (like form field values), maintain the session and remember table filters when you return to the Site. Pardot will also provide us with reports about the types of activities in which you engage on our Site, so we can better understand your use and interest in our Site and Services, and provide you with information we think may be of interest or assistance to you.

Business and Legal Uses of Personal Information by QHR

In addition to the purposes listed above, in general, QHR may also use the personal information we collect about you to:

conduct data analysis, testing, and monitor and analyze usage and activity trends;
ensure compliance with and identify violations of the applicable Terms of Service;
enforce our rights arising from any contracts between you and us;
enforce billing and collections;
identify and prevent fraudulent activity and to protect security of the Sites and Solutions;
meet legal and regulatory requirements; and
facilitate such other services and activities, as we may identify to you at the time.

QHR will only use your personal information for the purpose for which it was originally collected, or for a use consistent with that purpose, unless you expressly consent or it is permitted or required by law.

Getting Your Consent

There are various ways you may consent to the collection, use and disclosure of your personal information processed through our Solutions on behalf of your healthcare provider and the Services provided by QHR.

Typically, you will voluntarily give information to your healthcare provider or will otherwise provide your consent to them. You should raise any questions you have about consent you have given your healthcare provider directly with them.

As described above, there are some instances in which individuals provide personal information to QHR. If you install any of the Solutions, enter into a License and Services Agreement, create an account to use one of our Solutions, or use the Sites, Solutions or Services, you acknowledge the notices in this Policy and you consent to QHR’s collection, use, disclosure, and retention of your personal information in accordance with this Policy and as otherwise permitted by law. You may withdraw your consent at any time by giving QHR reasonable notice, but consent may not be withdrawn where doing so would frustrate performance of a legal obligation.

In some cases, QHR may seek your consent for the use and disclosure of your personal information after it has been collected, but before it has been used or disclosed (e.g. where we want to use your personal information for a purpose not previously identified to you). We will not use or disclose your personal information for any new purpose without first identifying the new purpose and providing notice to you or obtaining your consent (as applicable), unless otherwise permitted by law. You can always choose not to provide QHR with certain requested personal information, but then you may not be able to access or utilize all or part of the Sites, the Solutions and/or the Services.

How Do We Share Personal Information with Partners and Service Providers?

We may share your personal information within our group of companies, or with our service providers and other third parties for the purposes described below and in accordance with applicable laws.

QHR does not share any of your health information with any advertisers or related companies . Except as described in this Policy or in other situations where we have provided you with prior notice, have obtained your consent, or are obligated or permitted by law, QHR will not share your personal information with third parties. Please note that third party companies are not governed by this Policy and may have their own privacy policies and practices regarding personal information.

Please review the sections below to learn more about the circumstances in which QHR may share your personal information:

Related Companies
Partners in Providing Specialized Services
Third Party Vendors
Third Party Service Providers
Sale or Transfer of the Business
Information Sharing Required or Authorized by Law

Related Companies

For Privacy related issues, QHR employs the Loblaws Privacy office to manage and operate the privacy program. We will generally only share aggregate usage and similar information with our parent company, Loblaws, and its wholly-owned subsidiary, Shoppers Drug Mart Inc. (“SDMI”). In limited circumstances, such as to assist with a legal or regulatory matter, incident response, or risk management, QHR may share or provide access to certain personal information to assist us.

Add-On Products Providing Specialized Services

QHR’s Solutions support the use of several integrated third-party patient management modules such as appointment reminders, transcription, dictation, patient messaging, online booking, video conferencing, and e-prescribing. These add-on tools are offered by third parties that integrate with the Solutions, to optimize their performance and utility.

A list and description of integrated and add-on products can be found here.

Ocean by CognisantMD : Ocean’s patient forms tool allows clients to digitize their patients’ medical forms and import them into Accuro EMR and streamlines patient intake.
Cliniconex: Cliniconex’s appointment reminders tool provides a fully automated and secure EMR communication solution which facilitates patient bookings and reminders.
mModal : mModal’s tools offer cloud-based clinical dictation and transcription tools.
Chronometriq : Chronometriq’s tools include online booking, appointment reminder and kiosk tools.
Zeiss : Zeiss Forum® connectivity is a tool for specialists in ophthalmology and microsurgery.
Welch Allyn: Accuro EMR connects to select Welch Allyn devices to allow for the seamless transfer of data directly into AccuroEMR and downloads to a patient’s file.

If your healthcare provider uses any of these tools when using QHR’s Solutions, these partners may receive personal information about you.

Third Party Healthcare Providers and Provincial Services

QHR’s Solutions allow for third party healthcare providers and provincial services to exchange personal information between health care providers and the vendors. For example, laboratory vendors such as Life Labs, can transmit your electronic lab results to healthcare providers who use Accuro EMR and healthcare providers can transmit billing information through provincial claims services such as Teleplan.

Third Party Service Providers

QHR may share certain personal information with third party service providers with whom we have contracted to provide certain services on behalf of QHR. Currently, QHR uses the third party service providers set out here.

Services	Third Parties	Location of Data Processing
Website Analytics	Google, Pardot	Outside Canada
Privacy and Security Reviews	OneTrust	Outside Canada
Online Surveys	GetFeedback	Outside Canada
Customer Management	Salesforce, Zuora, Microsoft, OwnBackup	Outside Canada
Solution Support Services	Salesforce	Outside Canada
Content Delivery	Akamai	Outside Canada
Security and Identity Authorization and Management	Akamai, Splunk, Checkpoint, Palo Alto, Okta, Microsoft	Canada and outside Canada
Software Development and Management	Microsoft, Tableau, OfficeSpace Software	Canada and outside Canada
Electronic Communications	Pardot, SendGrid, Twilio	Outside Canada
Customer Support	Mitel	Canada
Career Webpage Hosting	ADP	Outside Canada
STUN/TURN services	Xirsys	Canada
STUN/TURN services	Twilio	Outside Canada
Recurring billing (for Medeo)	Chargebee	Outside Canada
Recurring billing (for Accuro)	Zuora	Outside Canada
Payment gateway (for Medeo)	Spreedly	Outside Canada
Payment processor	Moneris	Canada
Virtual servers and storage	Microsoft Azure	Canada

We engage specialized PCI DSS (Payment Card Industry Data Security Standard) payment processing service providers to process your payments, such as for Accuro monthly fees and Medeo Plus subscriptions. When you provide your credit card or other payment related information through one of our solutions, you are providing it directly through a secure portal to the relevant payment processing providers (identified above). Credit card information is masked to QHR, so we do not have full access to your payment information but instead receive confirmation of payment information from our payment processing provider.

The third-party service providers will have access to personal information needed to perform their functions, but are only provided the limited amount of information required to perform their services. When QHR uses third party service providers, it requires the providers to protect your personal information in accordance with the law and with appropriate safeguards for the protection of the personal information. Any such sharing of your personal information by QHR to a third-party service provider will be conditional upon the information being used solely for the purpose for which it has been shared.

Sale or Transfer of the Business

QHR may decide to sell or transfer all or part of our business to a related company or to a third party, to merge with another entity, to insure or securitize its assets, or to engage in another form of corporate or financing transaction (including transfers made as part of insolvency or bankruptcy proceedings or as part of a corporate reorganization or stock sale or other change in corporate control). QHR may share your personal information in connection with the evaluation of and/or entry into such transactions.

Where Required or Authorized by Law

QHR may also disclose your personal information where authorized or required by law. For example, we may disclose your personal information to comply with a subpoena, in response to a law enforcement body with the lawful authority to obtain the information, pursuant to an investigation into the breach of a law, or to our legal counsel.

What Choices Do You Have About How We Use and Share Your Personal Information?

We want you to understand your choices and make informed decisions about how we use and disclose your personal information. There are several options available for you to manage your privacy preferences including, for example by managing your preferences within your account(s), contacting QHR directly, changing your browser or device settings, and/or by contacting third parties.

Please review the sections below to learn more about options available to you regarding control over your personal information:

Opting-Out of Marketing Communications from QHR
Tracking Technologies
Location Information
Advertising

Opting-Out of Marketing Communications from QHR

If you provide us with your e-mail address and “opt-in” to receiving messages from us via the e-mail address provided, you may receive electronic communications from us from time to time. These electronic communications will provide you with our contact information and a method to opt-out and unsubscribe from receiving marketing information and/or any further communications from us. You can opt-out of receiving these types of communications by updating your email preferences or clicking the unsubscribe link directly within the emails.

QHR may use your e-mail address to communicate with you regarding important matters, such as information about your account with one of our Solutions. You may not opt-out of receiving communications required by law, or necessary to provide you with requested services.

Tracking Technologies

You can disable cookies by adjusting the settings on your internet browser. Disabling cookies may affect your ability to access some pages on the Sites and some parts of the Solutions may not be accessible or may not function properly.

Advertising

We do not share personal health information. We also do not share your personal information with unaffiliated third parties for marketing or promotional purposes.

We do not control third parties’ collection or use of your information to serve advertising. These third parties may provide you with additional choices about how they use your information or ways to choose not to have your information collected or used in this way. You can opt out of several third-party ad servers’ and networks’ cookies by using one of the tools created by the Digital Advertising Alliance of Canada.

How Do We Secure Your Personal Information?

The security of personal information in our care is important to us.

We have built security features into our Solutions to help healthcare professionals protect your personal health information when they are using the Solutions. Some of these features include access controls, unique user accounts, multi-factor authentication, threat detection, and active logging.

QHR takes precautions to help safeguard personal information we manage through the Solutions or is otherwise provided to us. We have made security arrangements to protect against unauthorized access, collection, use, disclosure, and disposal of personal information, in a manner appropriate to the sensitivity of the information. These measures include various administrative and technological safeguards including unique user accounts, and role-based access based on need to know. We also use security practices to protect our systems, which include but are not limited to regular monitoring of our systems for possible vulnerabilities and attacks, proactive penetration tests, encryption of data in transit and at rest, active logging, and employing intrusion detection and prevention systems. We also take steps to ensure that our third-party service providers provide similar or better privacy and security for the personal information they process for us.

As well, QHR will use care when destroying or disposing of personal information to prevent unauthorized access, use or disclosure of any personal information. QHR’s employees with access to personal information are required to respect the confidentiality of such information.

The safety and security of your personal information also depends on you. QHR is not responsible for any lost, stolen, or compromised usernames, passwords or for any activity on your account via unauthorized password activity. You should take steps to protect against unauthorized access to your account by, for example, choosing a robust password and keeping your username and password private. QHR is not responsible for any failure by you to secure your own devices and their access to the Internet or your use of public, unsecured networks. The Sites and Solutions may include links to external websites. Once you leave the Sites or the Solutions, this Policy does not apply. QHR is not responsible for the privacy practices, collection of personal information, or content of external websites.

Unfortunately, information systems, the transmission of information via the Internet and mobile platforms are not completely secure. Although we have designed features and employed security techniques to protect your personal information, we cannot guarantee the security of personal information at all times. Any transmission of your personal information is at your own risk.

Where do we Store Data?

Accuro EMR is only hosted on datacenters located in Canada and personal health information is always stored in Canada.

QHR stores some business and client contact information on servers in the United States. Some personal information (including personal health information) may be processed outside of Canada. For example, peer-to-peer connections and video streaming on the Solutions are supported from within Canada, with fail-over servers located in the United States. QHR also engages third party service providers outside of Canada to process data for the purposes of improving data security. As a result, your personal information may be processed in the United States by one of QHR’s third party service providers and may be subject to the laws and access by government or regulatory organizations in the United States.

If you have any questions about QHR’s policies and practices with respect to service providers outside of Canada, including its collection, use, disclosure, and storage of personal information, you can contact the QHR Privacy Officer at the details listed in the Questions and Concerns section of this Policy below.

Data Retention

Most of the data that QHR manages is on behalf of health care providers and individuals through use of the Solutions. As described above, we also collect some personal information for use by QHR. Our approach to data retention in both cases is described in the sections below.

Personal Information Managed on Behalf of Your Healthcare Provider
Personal Information you Provide to QHR

Personal Information Managed on Behalf of Your Healthcare Provider

Personal information that is collected by your healthcare provider, including your personal health information, is the responsibility of the healthcare provider, being the custodian of that information. Your personal information associated with your relationship with that custodian will be subject to the retention policies and practices of the custodian.

Personal Information You Provide to QHR

Personal information collected by QHR for its use directly is maintained in accordance with applicable privacy legislation and QHR’s retention policies and practices. Generally, QHR stores your personal information for as long as it is reasonably necessary to fulfill the purposes we collected it for, except as otherwise permitted or required by applicable law or regulation.

For clients who have purchased QHR-hosted Solutions, QHR backs up client data and retains those backups for approximately 30 days. Data imports from health care providers may be retained for six months for data integrity confirmation purposes.

When the applicable retention period ends, personal information is scheduled for destruction according to our record retention policies. Where the personal information is stored in an electronic format, it will be deleted from the Solution or systems in which it is retained. Any backups of the personal information will exist until rotated out of the backup archives. Physical storage which is retired is put through a deep data wipe, degaussing and/or physical destruction designed to ensure there is no risk of personal information being recovered.

Under some circumstances we may anonymize or aggregate your personal information so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent.

How Can You Correct and Access Your Personal Information?

You can challenge the accuracy and completeness of your personal information. It may be most appropriate for you to raise this with your healthcare provider who maintains your healthcare record. Depending on the type of information, you may need to direct your inquiry accordingly:

Accessing or Correcting Personal Information in a Medical File or stored on behalf of your Healthcare Provider
Accessing or Correcting Personal Information Collected by QHR for Use by QHR

Accessing or Correcting Personal Information in a Medical File or stored on behalf of your Healthcare Provider

If you want to access or correct personal information in your medical file, including personal information stored in a Solution on behalf of your healthcare provider, you should make the request directly to your healthcare services provider. It is your responsibility to provide any updates to your personal information to your healthcare provider as appropriate.

Accessing or Correcting Personal Information Collected by QHR for Use by QHR

If you have an account with one of our Solutions, all personal information in your account and user profile is accessible by you. You can make changes to certain personal information that QHR holds about you, such as your contact information, by editing the information in your account. You are responsible for keeping the personal information in your account up to date and accurate. If you are a Medeo user, certain minimum personal information must be input in your account in order to use the Solution’s services. For example, users must share their name, email address and certain other account related information we may reasonably require for verification purposes.

In appropriate circumstances, QHR will amend personal information. It is your responsibility to provide any updates to your personal information to QHR in writing, as applicable.

You may request access to your personal information and/or correction of that information by contacting QHR in writing at the contact information noted below, with sufficient detail to enable QHR to identify the personal information being sought. When you contact QHR, we may ask for further information to confirm your identity and the nature of the information being sought.

After we receive your request for access to personal information, QHR may provide you with an estimate of when you can expect a response. In some cases, QHR may need additional time to respond to a request, in which case we will provide you with written notice of the extension. If you require the documents in an alternative format, we will make reasonable efforts to provide you with your personal information in that format.

Please note that in some cases, QHR may not provide access to personal information that we hold about you, such as where the denial of access is authorized by law. There are also cases where QHR may be legally required to refuse access to personal information. If QHR denies your request for access to personal information, we will advise you of the reason for the refusal, and will provide the name, title, and contact information of the designated person who can address the refusal.

QHR may charge a reasonable fee according to the cost required to retrieve and provide access to the requested information, or to provide it in a requested alternative format. We may provide an estimate of the fee in advance and in some cases, will require a deposit for all or part of the fee.

Questions and Concerns

Questions or concerns about your personal health information should be directed to the healthcare provider from whom you received healthcare services.

If you have a product, service, program, or are participating in a promotion, contest or event that is offered by a third party on behalf of QHR, the third party may hold certain of your personal information. Should you have any questions or concerns about their use of your personal information, we will direct you to the appropriate contact so that you may make enquiries as to that party’s privacy policies and practices.

Questions or concerns regarding this Policy, including the collection of your personal information, can be directed to the QHR Privacy Officer, who is responsible for ensuring QHR’s compliance with this Policy. You can contact the Privacy Officer using any of the following methods:

Mailing Address: 300- 1620 Dickson Ave, Kelowna, BC V1Y 9Y2

Email: privacy@qhrtech.com

QHR takes any complaint about our privacy practices seriously. QHR will investigate all complaints. If QHR finds a complaint justified, we will take the necessary steps to resolve it. You will be informed of the outcome of the investigation regarding any complaint. If you are not satisfied with QHR’s response to a complaint, you may have options to exercise various complaint procedures, including with the relevant Privacy Commissioner or regulatory authority.

Changes to the Policy

QHR may update this Policy from time to time by posting a new version of the Policy on the Sites and the Solutions. If there are significant changes made to the Policy, we may notify users of the Solutions in advance through the Solutions or by e-mail. QHR’s collection, use, disclosure, and retention of your personal information will be governed by the version of the Policy in effect at that time. We suggest that you review this Policy periodically.

Effective Date: October 15^th 2022