How we protect your health information

1. Who we are

The Pain Clinic Toronto is a "health information custodian" (HIC) within the meaning of section 3(1) of PHIPA. The clinic's physicians and staff act as agents of the custodian when handling your personal health information. [LAWYER]

This policy applies to all personal health information collected, used, or disclosed by the clinic in any format (paper, electronic, image, or verbal communication).

2. What personal health information we collect

"Personal health information" (PHI) is defined in section 4 of PHIPA. The categories we collect include:

• Identifiers: full name, date of birth, address, telephone number, and email address.
• Health-card information: OHIP number and version code, or out-of-province / IFHP / private-pay equivalents.
• Referral information: family physician's name and contact, referring specialist details, and the contents of the referral letter.
• Clinical history: presenting complaint, prior diagnoses, surgical history, current medications, allergies, and family history relevant to chronic pain care.
• Imaging and diagnostic results: MRI, CT, X-ray, ultrasound reports, and any imaging files you authorize us to receive.
• Treatment record: clinical notes, procedure records, fluoroscopy and ultrasound images captured during image-guided procedures, and outcome measures (pain scales, functional questionnaires).
• Billing information: OHIP claim details, private-insurer claim information you submit, and itemized receipts.

Collection is limited to what is reasonably necessary for the purposes described in section 3 below, in accordance with section 30 of PHIPA. [LAWYER]

3. Why we collect it

Primary purpose: Providing health care — assessment, diagnosis, treatment, follow-up, and continuity of care.

Secondary purposes:

• Billing OHIP and processing private-insurance receipts on your behalf.
• Quality improvement and risk management within the clinic. [LAWYER]
• Research, but only with your express consent and only where the project has been approved by an accredited Research Ethics Board (REB). [LAWYER]
• Education of medical trainees, where you have given consent to their presence in the room or to the use of de-identified material.
• Meeting our legal and regulatory obligations (CPSO record-keeping, mandatory reporting under the Health Protection and Promotion Act, court orders, etc.).

We do not use your PHI for marketing, fundraising, or commercial purposes.

4. How we use it

Within the clinic, your PHI is accessible only to physicians, nurses, technologists, and administrative staff who need it to perform their role. All staff are bound by confidentiality agreements and PHIPA training.

Under PHIPA, we rely on your "implied consent" to use and share PHI within your circle of care for the primary purpose of treating you. You may withdraw or restrict that consent at any time (see section 8).

Research uses are restricted to projects with REB approval and an executed research agreement that meets section 44 of PHIPA. [LAWYER]

5. How we share or disclose it

We may disclose your PHI in the following circumstances:

• Circle of care: to your family physician, referring specialist, pharmacist, hospital, or another health-care provider involved in your care, on the basis of implied consent under PHIPA.
• Insurers: to private insurers and to the Workplace Safety and Insurance Board (WSIB), only with your express written consent for the specific claim. [LAWYER]
• OHIP / Ministry of Health: billing data submitted to the Ontario Health Insurance Plan as required to claim the procedure fee.
• Public health and mandatory reporting: reportable diseases, suspected child abuse, threats of self-harm or harm to others, and other disclosures required by Ontario or Canadian law.
• Legal process: subpoenas, court orders, summonses, or warrants, after appropriate legal review.
• Regulatory bodies: the College of Physicians and Surgeons of Ontario (CPSO) or other Ontario health regulatory colleges, where required by their governing statute.

We do not sell, rent, or trade your PHI.

6. Where we store your information

Paper records and physical media are kept in locked premises at the clinic. Electronic records are stored on Canadian-resident infrastructure operated by service providers that have signed a written agreement consistent with section 10(2) of PHIPA. [LAWYER]

Where any service provider stores or processes data outside of Canada, we require contractual safeguards equivalent to PHIPA and will identify the relevant providers in this policy. [LAWYER]

7. How long we keep it

We retain medical records for a minimum of ten (10) years from the date of your last interaction with the clinic, in line with the College of Physicians and Surgeons of Ontario's record-keeping standards. [LAWYER]

For records of patients who were under the age of majority at the time of treatment, we retain the record for a minimum of ten (10) years past the day they would have turned eighteen (18). [LAWYER]

Billing records and other financial documents are retained for the period required under the Income Tax Act and the Excise Tax Act, typically seven (7) years. [LAWYER]

After the retention period expires, paper records are securely shredded and electronic records are securely destroyed using methods that prevent reconstruction.

8. Your rights

Under PHIPA you have the right to:

• Access your record of personal health information (PHIPA s. 52).
• Request correction of information you believe is inaccurate or incomplete (PHIPA s. 55).
• Withdraw or restrict your consent to specific uses or disclosures, including disclosures within your circle of care ("lock-box" instruction).
• Be told if your information has been subject to a privacy breach that poses a real risk of significant harm.
• File a complaint with the clinic and, if unresolved, with the Information and Privacy Commissioner of Ontario.

We respond to written access and correction requests within 30 days, in accordance with PHIPA s. 54. A reasonable cost-recovery fee may apply, consistent with the regulations. [LAWYER]

9. How we protect your information

Technical safeguards: encryption of data at rest and in transit, individual user accounts with role-based access, audit logging, automatic session timeout, multi-factor authentication for clinical systems, and regular vulnerability patching.

Administrative safeguards: annual privacy training for all staff, signed confidentiality agreements, written privacy and breach-response policies, and periodic privacy audits of access logs.

Physical safeguards: locked file rooms, controlled access to clinical and administrative areas, secure shredding of paper records, and secure disposal of electronic media.

10. Cookies and website analytics

This website (thepainclinictoronto.com) is informational. It does not host a patient portal, accept appointment bookings, or store personal health information.

The site uses strictly necessary cookies to keep the site working (for example, remembering whether you have dismissed a notice). It does not currently use advertising or cross-site tracking cookies. If we add a website analytics provider in the future, this policy will be updated and the provider listed in section 11. [LAWYER]

You can disable cookies in your browser at any time. Disabling cookies will not prevent you from reading the site.

11. Third-party services we use

The following service providers process information on the clinic's behalf for the operation of this website. None of them have access to your medical record.

• WordPress hosting provider — server log data (IP address, browser user-agent, request timestamp). [LAWYER]
• All in One SEO (AIOSEO) — runs locally on the WordPress installation; no patient data leaves the server. [LAWYER]
• Advanced Custom Fields (ACF) — runs locally on the WordPress installation; no patient data leaves the server. [LAWYER]
• Website analytics provider — to be added; once selected, the provider name, the data it collects, and an opt-out link will be listed here. [LAWYER]

Each service provider that handles personal information on our behalf is bound by a written agreement requiring privacy and security safeguards consistent with PHIPA s. 10(2) and / or PIPEDA. [LAWYER]

12. What happens if there is a privacy breach

If personal health information is stolen, lost, or accessed by an unauthorized person, we will:

• Contain the breach and investigate its scope.
• Notify each affected patient at the first reasonable opportunity, as required by PHIPA s. 12(2).
• Notify the Information and Privacy Commissioner of Ontario where the circumstances meet the prescribed thresholds in O. Reg. 224/17.
• Notify the relevant regulatory college (e.g. the CPSO) where required by section 17.1 of PHIPA.
• Implement corrective measures to prevent recurrence.

13. Children and capacity

PHIPA recognizes a child's right to make decisions about their own health information when they are capable of doing so, regardless of age. Where a child is not capable of consenting, a substitute decision maker (typically a parent or guardian) consents on their behalf, in accordance with the order of priority set out in PHIPA s. 26.

For patients under 16, we will generally seek consent from a substitute decision maker unless the treating clinician determines the patient is capable. [LAWYER]

15. Changes to this policy

We review this policy at least annually and whenever there is a material change in our practices, our service providers, or applicable law. The "Last reviewed" date at the top of the page reflects the most recent review.

Material changes will be communicated on this page. Where the change affects the way an existing patient's information is used or shared, we will provide additional notice as required by PHIPA.