Privacy Policy

1. Introduction

THClinic ("we", "us", or "our") is committed to protecting the privacy and confidentiality of your personal health information. We operate a family medicine clinic located at 2100 Finch Ave W, Suite 300, Toronto, ON M3N 2Z9, and this Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our clinic, use our patient portal, or communicate with us.

We understand that your health information is deeply personal and we take our responsibility to protect it seriously. Please read this policy carefully. By using our services, you consent to the practices described herein.

2. Information We Collect

We collect information necessary to provide you with safe, effective medical care. This may include:

Personal Health Information

• Medical history, diagnoses, and treatment records
• Prescription and medication history
• Laboratory and diagnostic test results and imaging reports
• Physician notes and clinical assessments
• Immunization and vaccination records
• Referral and consultation records

Contact & Identification Information

• Full legal name, date of birth, and gender
• Home address, phone number, and email address
• Ontario Health Insurance Plan (OHIP) number and other provincial health card information
• Emergency contact details

Website & Portal Usage Data

• IP address, browser type, and device information when you access our patient portal
• Pages visited and features used within our digital services
• Appointment booking preferences and communication history

3. How We Use Your Information

We use your personal health information only for the purposes for which it was collected or as otherwise permitted by law:

• Providing care: To assess, diagnose, treat, and manage your health conditions.
• Appointments: To schedule, confirm, and remind you of upcoming appointments.
• Communication: To respond to your inquiries and send you health-related information relevant to your care.
• Billing: To submit claims to provincial health plans and process any applicable fees.
• Quality improvement: To evaluate and improve the quality and safety of our services, in anonymized or aggregated form.
• Legal compliance: To meet our obligations under applicable laws and regulations.

4. Legal Basis for Processing

Our collection, use, and disclosure of personal health information is governed by the following legislation:

• Personal Health Information Protection Act (PHIPA), 2004 (Ontario): The primary legislation governing how health information custodians collect, use, and disclose personal health information in Ontario.
• Personal Information Protection and Electronic Documents Act (PIPEDA): Federal legislation that may apply to certain commercial activities and electronic communications.
• Regulated Health Professions Act (RHPA), 1991: Governing the professional obligations of our regulated health professionals.

We collect and use personal health information primarily on the basis of your implicit or express consent, and where necessary for the provision of health care or as required by law.

5. Information Sharing & Disclosure

We do not sell, rent, or trade your personal health information. We may share your information in limited circumstances:

• With your consent: When you authorize us to share information with another healthcare provider, specialist, or third party.
• Circle of care: With other health information custodians who are directly involved in your treatment and require the information to provide care (e.g., specialists, hospitals, pharmacies).
• Required by law: When we are legally required to disclose information, such as mandatory reporting requirements under public health legislation or pursuant to a court order.
• Service providers: With trusted third-party service providers who assist in our operations (e.g., electronic health record systems, secure messaging platforms) under strict confidentiality agreements and data processing agreements.

6. Data Security

We implement industry-standard technical and organizational measures to protect your personal health information against unauthorized access, disclosure, alteration, or destruction:

• Encryption of personal health information in transit (TLS/SSL) and at rest
• Role-based access controls ensuring staff can only access information necessary for their role
• Regular security audits and vulnerability assessments of our digital systems
• Mandatory privacy and security training for all clinic staff and contractors
• Physical security measures at our clinic premises, including secure storage of paper records
• Incident response procedures to promptly address any privacy breaches in accordance with PHIPA requirements

While we take all reasonable precautions, no system is completely secure. We encourage you to use strong, unique passwords for your patient portal account and to contact us immediately if you suspect any unauthorized access.

7. Your Rights

Under PHIPA and applicable law, you have the following rights regarding your personal health information:

• Right of access: You may request access to your own personal health information held by us. We will respond within 30 days.
• Right to correction: If you believe your information is inaccurate or incomplete, you may request a correction.
• Right to withdraw consent: You may withdraw consent for certain uses or disclosures, subject to legal and professional limitations.
• Right to lock information: You may request that certain information not be shared even within your circle of care, subject to limitations where disclosure is legally required.
• Right to complain: If you believe your privacy rights have been violated, you may file a complaint with the Information and Privacy Commissioner of Ontario (IPC).

To exercise any of these rights, please contact our Privacy Officer using the contact information provided in Section 9.

8. Retention of Information

We retain personal health information for as long as necessary to fulfill the purposes for which it was collected and as required by law:

• Adult patient records: Minimum 10 years from the date of the last entry, or as otherwise required by the College of Physicians and Surgeons of Ontario (CPSO).
• Records for minor patients: Retained until the patient reaches the age of 18, plus an additional 10 years.
• Financial and billing records: Minimum 7 years as required by tax and accounting regulations.
• Website and portal logs: Typically 12 months, unless required for security investigations or legal purposes.

When personal health information is no longer required, it is securely destroyed using methods that prevent reconstruction or unauthorized retrieval.

9. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal health information, please contact our Privacy Officer:

We will acknowledge receipt of your inquiry within 2 business days and endeavour to resolve all privacy-related matters in a timely manner.

You also have the right to contact the Information and Privacy Commissioner of Ontario (IPC) at www.ipc.on.ca if you feel your privacy rights have not been respected.