Patient Privacy Policy
LAST UPDATED: December 15, 2020
ABELDent is committed to protecting and securing the patient information entrusted to us by customers who use ABELMed or ABELDent (the “software”). The term ‘patient information’ as used in this policy includes a patient’s name, birthdate, contact information, appointment details, payments, insurance information, personal health information, such as any information about a patient’s treatment, health history or medications, and any other patient-related information recorded using the software. Patient information does not include aggregate or de-identified information that cannot be associated with a specific individual.
ABELDent takes great care in managing patient information that may be shared with us or is made accessible to us by our customers. We have taken important steps to support customer compliance with the provincial health privacy statutes that apply to healthcare professionals. This Privacy Policy stands as a reflection of ABELDent’s commitment to privacy.
ABELDent takes full responsibility for the management and confidentiality of patient information in our custody or control. Patient information is collected, used, shared and stored in accordance with federal and provincial privacy laws that apply to ABELDent and its customers.
ABELDent has appointed a Privacy Officer who oversees compliance with privacy laws and best practice. The Privacy Officer’s duties include:
- Developing and, on a regular basis, reviewing ABELDent’s privacy and data security policies and practices to ensure consistent implementation and compliance;
- Ensuring all staff are trained on privacy best practices and are aware of the importance of safeguarding any patient information that they are privy to;
- Ensuring that all inquiries and complaints relating to privacy are appropriately handled; and
- Ensuring all third parties to whom ABELDent provides access to patient information adhere to appropriate standards of care in managing that information.
Patient information is directly collected by our customers and recorded on various screens in the software. The data is hosted on the customer’s local servers or in a secure cloud environment. ABELDent acts as a service provider or agent of the customer, and thus only indirectly collects patient information or is provided with access to this information if required to support the customer, as outlined in the next section of this policy. Thus, the customer always has full knowledge of any temporary collection of or access to patient information by ABELDent. ABELDent relies entirely on the patient’s treating physician/dentist to obtain consent for the collection of patient information.
Patient information is used or made accessible to ABELDent for one or more of the following specific purposes:
- to convert the customer’s patient data into a format compatible with the use of the software;
- to provide support services on an as-needed basis, and assist customers with any technical difficulties they may experience when using the software;
- to securely host and maintain patient data on behalf of a client, if hosting services are required;
- to provide secure back-up services to the client as requested;
- to meet any legal and regulatory requirements that are imposed upon ABELDent from time to time, or to bring or defend against legal actions;
- For such other reasonable purposes for which consent has been obtained, or as otherwise permitted or required by law.
Patient information is shared or made accessible to third parties only to the extent required to provide customers with our software and services, and to comply with legal requirements. We may share patient information in the following circumstances:
- as directed by our customers in writing;
- with our partners or service providers who assist us with servicing customers, such as by providing hosting or data back-up services. These trusted entities implement best practice security standards;
- to a court, administrative tribunal, governmental authority or other body authorized to compel the disclosure of patient information; for the purpose of complying with legal requirements such as a law, regulation, search warrant, subpoena, or court or administrative order; or as otherwise required or permitted by applicable law.
ABELDent acknowledges that a data security breach could result in potential harm to individuals whose information is entrusted to ABELDent. Thus, we have implemented critical physical, organizational and technical measures to guard against unauthorized or unlawful access to the patient information we manage and store. We have also taken steps to avoid accidental loss or destruction of, or damage to, patient information. While no system is completely secure, the measures implemented by ABELDent significantly reduce the likelihood of a data security breach.
Here are some examples of the security controls we have in place:
- Secure office premises;
- Locked filing cabinets and a secure shredding practice for any paper records;
- The use of encryption for data in transit and at rest when patient information is required for support purposes;
- Firewalls, anti-virus programs and robust authentication processes, including complex passwords and two-factor authentication, for access to electronic records;
- Limited access to patient information by employees who need the information to perform their work-related duties;
- The use of sophisticated data centers with effective physical and logical data security controls;
- Training initiatives and regular reminders to raise awareness amongst staff of their data protection responsibilities; and
- Regular reviews of privacy compliance and best practice initiatives.
Here are some examples of the security controls built into ABELDent’s software:
- Role-based security controls are in place. For example, restrictions are in place for who is able to view personal health information, whether added by a patient (e.g. a health history form) or a provider (e.g. clinical notes);
- Strong passwords are enforced by the software with specific complexity rules such as a minimum length of 8 characters and a mix of letters and numbers/special characters;
- When the client relies on ABELDent for data hosting in a data centre or in the cloud, end-to-end encryption is used to secure data in transit and at rest;
- Easily accessible audit logs to investigate read/write activity at the record-level for screens containing personal health information, searchable by patient, user or date.
In addition, we recommend that customers do their part in preventing unauthorized access to patient information. For example, customers should enforce that passwords never be shared or written down. Also, our customers are responsible for ensuring users log in using unique usernames to allow transparency of their actions. ABELDent is not liable for any unauthorized access to patient information that is beyond our reasonable control.
In the context of offering support services, our support technicians may require access to customer systems. In most cases, the customer’s concerns can be addressed without collecting patient information. However, if limited patient information must be collected from our customers’ servers for support purposes, this data is only kept long enough to resolve the support case, and is then diligently destroyed.
In some contexts, such as complex support cases or in the context of converting a customer’s database so it is in a format suitable for the software, more extensive patient information may need to be copied to, and stored on, ABELDent’s secure servers. In these circumstances, once the data is no longer required, it is securely destroyed from our servers. Regular auto-purging of data also ensures that data is not inadvertently retained for lengthy periods of time.
Development and testing work conducted by ABELDent, as we enhance our software or offer additional features to our customers, only takes place using dummy or fully scrambled data that does not identify a real patient.
If back-up services are provided by ABELDent, patient data is retained in and can be restored from secure back-ups. Upon written request and confirmation, ABELDent will make reasonable efforts to assist a client meet its data retention and destruction schedules. Keep in mind however that data may persist in back-up storage spaces for a period of time before being overwritten.
ABELDent takes privacy complaints very seriously and has a procedure in place for escalating and managing any privacy related concerns to ensure that they are responded to in a timely and effective manner. Any suspected privacy breach must be escalated internally to ABELDent’s Privacy Officer who oversees the containment, investigation and corrective actions for the breach situation, as well as timely notification to the customer.
We may change this Privacy Policy from time to time in order to better reflect our current patient information handling practices. Thus, we encourage you to review this document frequently! The “Last Updated” date at the top of this Privacy Policy indicates when changes to this policy were published and are thus in force. Your continued use of the software following the posting of any changes to this Privacy Policy means you accept such changes.
Any inquires, concerns or complaints regarding privacy should be directed to:
ABELDent Inc.
4145 North Service Road, Suite 200
Burlington, ON L7L 6A3
Phone: 905-333-3200
E-mail: privacy@abelhealthgroup.com
Your concerns will receive prompt attention. Our Privacy Office can also provide you with more detailed information about ABELDent’s policies and practices. Patients who may contact us for access to their own information will be directed to their treating physician or dentist.
Keep in mind that e-mail is not a secure form of communication, so never send confidential information to us this way.
Thank you for your continued trust in ABELDent.