1. Purpose

This clinic is committed to protecting the privacy and confidentiality of personal and health information in accordance with applicable legislation, including the Personal Information Protection Act.

This policy outlines how personal information is collected, used, disclosed, and safeguarded in the course of providing physiotherapy services.

2. Definition of Personal Information

Personal information includes any information that can identify an individual, including but not limited to:

• Name, date of birth, and contact information

• Health history and clinical records

• Insurance and claim information (including WorkSafeBC claims)

• Appointment, billing, and payment information

• Any other identifiable personal or system-generated data

3. Information We Collect

We collect personal and health information necessary to provide safe and effective care, including:

• Personal identification and contact details

• Health history, assessment findings, and treatment notes

• Insurance and claim information

• Appointment and billing information

4. Purpose of Collection and Use

Personal information is collected, used, and disclosed only for purposes necessary to:

• Provide physiotherapy assessment and treatment

• Maintain clinical records

• Schedule and manage appointments

• Process payments and insurance claims

• Communicate with insurers (e.g., WorkSafeBC) and other healthcare providers, where appropriate

• Support clinic administration and quality assurance

5. Consent

Consent is obtained for the collection, use, and disclosure of personal information at the time of intake and/or treatment.

Patients may withdraw consent at any time, subject to legal or contractual obligations. Withdrawal of consent may affect the clinic’s ability to provide services.

6. Access to Personal Information

Access to personal information is restricted to authorized personnel and is based on role and necessity:

• The clinic owner and treating physiotherapists (including independent contractors) have access to clinical information required for patient care

• Reception/administrative staff have access only to the information necessary for scheduling, billing, and basic communication

• Reception staff do not access detailed clinical notes unless required for administrative purposes and authorized

• Access is controlled through secure, individual login credentials within the clinic’s electronic medical record system.

• When personnel or contractors leave or change roles, access is promptly updated or revoked.

7. Limitation of Collection, Use, and Disclosure

Personal information is only collected, accessed, used, and disclosed for the purpose of delivering services and clinic operations.

Access is limited strictly to individuals who require the information to perform their duties.

8. Use of Third-Party Service Providers

The clinic uses JaneApp as its electronic medical record system to securely store and manage patient information.

JaneApp and other service providers may have limited access to personal information strictly for:

• System maintenance

• Technical support

• Data security

All providers are required to comply with applicable privacy laws and maintain appropriate safeguards.

9. Storage and Security of Information

Personal information is stored securely using appropriate safeguards, including:

• Password-protected access

• Role-based permissions

• Secure data hosting in Canada

• Encryption and secure system architecture

The clinic maintains administrative, technical, and physical controls to protect personal information from unauthorized access, use, disclosure, or destruction.

10. Encryption

Personal information is protected using industry-standard encryption practices:

• Data is encrypted in transit and at rest through the clinic’s electronic medical record system, JaneApp

• Secure protocols and current security standards are used

11. Disclosure of Information

Personal information may be disclosed:

• To insurers such as WorkSafeBC for claims and reporting

• To other healthcare providers involved in care (with consent)

• When required by law

• Only the minimum necessary information is disclosed.

12. Metadata and System-Generated Data

Metadata or system-generated information that may identify an individual is treated as personal information and protected accordingly.

Such information is not used or disclosed in identifiable form beyond what is necessary for system operation and service delivery.

13. Retention of Records

Patient records are retained in accordance with professional and legal requirements in British Columbia:

• Adult records: minimum of 16 years from last visit

• Minor records: until age of majority plus 16 years

After this period, records are securely destroyed.

14. Secure Destruction and Return of Information

Personal information is securely destroyed at the end of its retention period.

Where required, the clinic will comply with requests from WorkSafeBC for the secure return or destruction of personal information.

15. Breach Notification

In the event of a privacy breach involving personal information, the clinic will:

• Take immediate steps to contain and assess the breach

• Notify affected individuals as appropriate

• Notify relevant authorities, including WorkSafeBC where applicable

16. Access and Correction

Patients have the right to:

• Request access to their personal information

• Request corrections to their records

Requests can be made in writing to the clinic.

17. Privacy Officer

The clinic owner acts as the Privacy Officer and is responsible for ensuring compliance with this policy and applicable legislation.

For questions, concerns, or requests regarding personal information, please contact:

Path Physiotherapy

info@pathphysio.ca

250-766-6121

18. Policy Updates

This policy may be updated periodically to reflect changes in legislation or clinic practices.