We are committed to protecting your privacy and ensuring the confidentiality of your personal health
information. Please find below all of the details about how we strive to keep your privacy protected.
Interpretation
The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
- Account means a unique account created for You to access our Service or parts of our Service.
- Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to Eating Disorder Dietitian: Brittaney Berendsen RD.
- Country refers to: Ontario, Canada
- Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
- Personal Data is any information that relates to an identified or identifiable individual.
- Service refers to virtual nutrition counseling.
- Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
- You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
Our Organization:
Health Information Custodian: Brittaney Berendsen RD
Information Officer/Contact Person: Brittaney Berendsen RD
Who We Are:
Brittaney Berendsen, RD is the lead dietitian of Eating Disorder Dietitian: Brittaney Berendsen RD. We use other healthcare professionals and support staff that assist in the provision of care to our clients.
We also work with consultants and agencies that may, in the course of their duties, have limited access to Personal Information we hold. These include contract dietitians, interns, credit card companies, online charting system personnel and website managers.
We restrict access to any Personal Information we hold as much as is reasonably possible. We also obtain assurances from any healthcare professionals, support staff, consultants and agencies that they will follow appropriate privacy principles.
What is Personal Information and Personal Health Information?
Personal information means any factual or subjective information, recorded or not, about an identifiable individual, including without limitation, age, name, ID numbers, income, ethnic origin. Personal health information is identifying information about an individual in oral or recorded form that relates to the details of their healthcare, including:
- the physical, nutritional or mental health of the individual (including the family health history);
- the provision of health care to the individual (including identifying the individual’s health care provider(s));
- a plan of service under the Home Care and Community Services Act, 1994;
- payments or eligibility for health care or coverage for health care;
- the individual’s health number; or
- the identification of the individual’s substitute decision-maker.
Personal Information collected may include: name, home address, telephone number, email address, gender, pronouns, age, language, occupation, religion, ethnicity, race, country of origin, and other personal identities.
Personal Health Information collected may include: health history of an individual, family health history, health measurements (i.e. weight, height), lab, diagnostic and examination results, health conditions, assessment results or diagnoses, health services provided to or received by the individual, nutrition diagnoses, clinical opinions formed during assessment and treatment, compliance with recommended treatments and nutrition interventions, reasons for discharge and discharge recommendations, and the identify and contact information of the individual’s other healthcare providers.
Purpose for Collecting, Using and Disclosing Personal Health Information
We collect, use, and disclose personal health information for the following purposes:
- to provide nutrition counseling to our clients
- to help us assess what clients’ needs are
- to advise clients of treatment options
- to obtain a baseline of health and social information so that in providing ongoing health services, changes can be identified
- to contact you: by email, secure encrypted message (on the Practice Better Platform), telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
- to conduct quality improvement and risk management activities: We review client files to ensure that we provide high quality services, including assessing the performance of our staff/contract dietitians, interns.
- to comply with our regulatory obligations to the College of Dietitians of Ontario
- to obtain payment for services provided (from you via credit card payment or electronic transfer)
- to teach students and to provide continuing education to our staff
- for other purposes permitted by law
With your permission, this information may be disclosed to other members of your health care team, to provide you with optimal health care. We will collect, use, and disclose only as much personal health information as is needed to achieve these purposes. You can withhold or withdraw your consent to the collection, use or disclosure of your personal health information by contacting us (details below).
Protecting Personal Information
We understand the importance of protecting Personal Information. For that reason, we have taken the following steps:
- Paper information is secured in a locked or restricted area.
- Electronic hardware is either under supervision or secured in a locked or restricted area at all times. In addition, strong passwords are used on all computers and mobile devices.
- We try to avoid travelling with personal health information. However, when we do so, we transport, use and store the personal health information securely.
- Paper information is transferred through sealed, addressed envelopes or boxes by reputable companies with strong privacy policies.
- Electronic information is either anonymized or encrypted before being transmitted.
- Our staff members and contract employees are trained to collect, use and disclose Personal Information only as necessary to fulfill their duties and in accordance with our privacy policy.
- We do not post any Personal information about our clients on social media sites and our staff and contract employees are trained on the appropriate use of social media.
- External consultants and agencies with access to Personal Information must enter into privacy agreements with us.
The Service Providers We use may have access to Your Personal Data. These third-party vendors collect, store, use, process and transfer information about Your activity on Our Service in accordance with their Privacy Policies.
Email Communications
GOOGLE/ GMAIL: Their Privacy Policy can be viewed at https://policies.google.com/privacy?hl=en-US
Electronic Medical Record
PRACTICE BETTER: Their Privacy Policy can be viewed at https://practicebetter.io/privacy/
Payments
We may provide paid products and/or services within the Service. In that case, we may use third-party services for payment processing (e.g. payment processors).
We will not store or collect Your payment card details. That information is provided directly to Our third-party payment processors whose use of Your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
STRIPE: Their Privacy Policy can be viewed at https://stripe.com/us/privacy
Openness about the Personal Information Process
Our Privacy Policy is available from our website at http://www.edrdbb.com and can be provided to any individual upon request. A copy of our Privacy Commitment, which summarizes our Privacy Policy is provided to each new client at the time the consent form is signed.
Your Medical Records and Rights
When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.
Get an electronic or paper copy of your medical record
- You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this.
- We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.
Ask us to correct your medical record
- You can ask us to correct health information about you that you think is incorrect or incomplete. Ask us how to do this.
- Correction requests are restricted to factual information. Professional observations and opinions are not generally subject to correction requests.
- If we agree that there is a mistake in the record, we will make the correction, but we will not destroy the original entry. At your request and where it is reasonably possible, we will notify third parties to whom we sent this information. We reserve the right to refuse to notify a third party if the correction cannot reasonably be expected to have an effect on the ongoing provision of health care or some other benefit to the individual.
- We may say “no” to your request, but we’ll tell you why in writing within 60 days and a notice of disagreement will be filed with the record. Upon any notice of refusal, we will advise you of your right to complain to the Information and Privacy Commissioner about the refusal.
- We may also refuse corrections, if, for example, the request is frivolous, vexatious or made in bad faith, or if we did not create the record and do not have sufficient knowledge, expertise or authority to make the correction.
Request confidential communications
- You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
- We will say “yes” to all reasonable requests.
Ask us to limit what we use or share
- You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.
- If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.
Get a list of those with whom we’ve shared information
- You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.
- We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.
Choose someone to act for you
- If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.
- We will make sure the person has this authority and can act for you before we take any action.
Retention and Destruction of Personal Information
We will retain clinical records for 10 years after the last client interaction or 10 years after the client turns 18 years of age. If required by the circumstances We may retain a clinical record for a longer period of time, such as in the case that litigation is contemplated or ongoing or where a request for access to the record is outstanding.
Personal health information will be disposed of in a secure manner so that the records cannot be reconstructed (s.13 of the Act and s. 1(5.1) of the regulations). Paper records will be cross-cut shredded (using external shredding services) and electronic files will be deleted or destroyed in a way that the information cannot be recovered.
When Brittaney Berendsen, RD dies, the person responsible for her estate will be responsible for complying with applicable legislation governing Personal Information until he or she is able to transfer the information to another health information custodian.
Privacy Breach
While we will take precautions to avoid any breach of your privacy, if there is a loss, theft or unauthorized access of your Personal Information we will notify you.
Upon learning of a possible or known breach, we will take the following steps, as applicable:
Step 1: Respond immediately by implementing the organization’s privacy breach protocol.
- Inform the necessary staff within the organization.
- Consider whether the Commission must or should be notified (PHIPA provides that regulations may be passed setting out certain kind of breaches that must be reported to the Commission, s. 12(3).
Step 2: Containment – Identity the scope of the potential breach and take steps to contain it.
- Assess what and how much information was breached and in what manner (e.g., paper format, electronic format), including individuals or organizations who many have been involved with or are responsible for the breach, and the nature and quantity of the Personal Health information that is affected.
- Determine whether copies were made and retrieve and copies of Personal Health Information (PHI) that have been disclosed.
- Ensure that no copies of PHI have been made or retained by anyone who was not authorized to receive the information. Record the person’s contact information in case follow-up is required.
- Determine whether the breach would allow unauthorized access to any other PHI. Implement any necessary action to contain further unauthorized access (e.g., change passwords, identification numbers and/or temporarily shut down a system).
- In case of unauthorized access by an agent, consider suspending their access rights.
Step 3: Notification – Identity those individuals whose privacy was breached and notify them of the breach.
- Notify all individuals whose personal health information has been compromised in the most appropriate way possible in light of the sensitivity of the information (e.g., by phone, in writing, at your next appointment, etc.) and at the first reasonable opportunity. Where appropriate the individual will be informed of the name of the agent responsible for unauthorized access, date of breach, description of the nature and scope of breach, as well as the description of the PHI that was subject to the breach, the measures implemented to contain the breach.
- Inform all individuals of the steps that have or will be taken to address the privacy breach and that the Information and Privacy Commissioner’s Office, Ontario has been informed.
- Provide the individuals with the organization’s and the Information and Privacy Commissioner’s Office of Ontario contact information in case individuals have further questions.
- Advise the individual of their right to make a complaint to the Commission (s. 12).
Step 4: Investigation and Remediation
- Conduct an internal investigation into the matter to identify how and why the privacy breach occurred.
- Take the necessary steps to implement a plan that strives to avoid similar privacy breach from occurring in the future.
- If deemed necessary, we will advise the Information and Privacy Commissioner’s Office of Ontario of the investigation findings and the proposed future prevention plan and work together to make any necessary changes.
- Report the results of investigation to the relevant regulatory College if appropriate or required (PHIPA requires HICs to report certain events to the relevant regulatory College, including when a member is suspended, terminated or otherwise disciplined or has had their privileges or business affiliation revoked or restricted as a result of a privacy breach; s. 17.1.The organization may also be required to report the circumstances to a regulatory College under the Regulated Health Professionals Act, 1991 in cases of professional misconduct, incompetence or incapacity.)
- Ensure all staff are appropriately trained and conduct further training if required.
Depending on the circumstances of the breach, we may notify and work with the Information and Privacy Commissioner of Ontario. If we take disciplinary action against one of our practitioners (or revoke or restrict the privileges or affiliation of one of our practitioners) for a privacy breach, we are required to report that to the practitioner’s regulatory College. We may also report the breach to the relevant regulatory College if we believe that it was the result of professional misconduct, incompetence or incapacity.
Complaints System
File a complaint if you feel your rights are violated
- If you wish to make a formal complaint about our privacy practices, you may make it in writing to Brittaney Berendsen at edrdbb@gmail.com. Brittaney Berendsen will acknowledge receipt of your complaint and ensure that it is investigated promptly and that you are provided with a formal decision and reasons. Every effort is made to investigate and provide a decision and reasons within 30 days.
- You can file a complaint with the College of Dietitians of Ontario
- The College of Dietitians of Ontario | 175 Bloor Street East, North Tower, Suite 601 Toronto, ON, M4W 3R8 | Telephone: (416) 598-1725 or 1-800-668-4990 | Fax: (416) 598-0274 | http://www.collegeofdietitians.org
- You also have the right to complain to the Information and Privacy Commissioner of Ontario if you have concerns about our privacy practices or how your personal health information has been handled.
- Information and Privacy Commissioner of Ontario | 2 Bloor Street East, Suite 1400, Toronto, Ontario M4W 1A8 | Telephone: 1 (800) 387-0073 | Fax: (416) 325-9195 | http://www.ipc.on.ca
- We will not retaliate against you for filing a complaint.
This policy is made under the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3. It is a complex statute and provides some additional exceptions to the privacy principles that are too detailed to set out here.
Last updated: April 20th, 2023