LAST UPDATED: December 15, 2020
ABELSoft is committed to protecting and securing the patient information entrusted to us by customers who use ABELMed or ABELDent (the “software”). The term ‘patient information’ as used in this policy includes a patient’s name, birthdate, contact information, appointment details, payments, insurance information, personal health information, such as any information about a patient’s treatment, health history or medications, and any other patient-related information recorded using the software. Patient information does not include aggregate or de-identified information that cannot be associated with a specific individual.
ABELSoft takes full responsibility for the management and confidentiality of patient information in our custody or control. Patient information is collected, used, shared and stored in accordance with federal and provincial privacy laws that apply to ABELSoft and its customers.
ABELSoft has appointed a Privacy Officer who oversees compliance with privacy laws and best practice. The Privacy Officer’s duties include:
- Developing and, on a regular basis, reviewing ABELSoft’s privacy and data security policies and practices to ensure consistent implementation and compliance;
- Ensuring all staff are trained on privacy best practices and are aware of the importance of safeguarding any patient information that they are privy to;
- Ensuring that all inquiries and complaints relating to privacy are appropriately handled; and
- Ensuring all third parties to whom ABELSoft provides access to patient information adhere to appropriate standards of care in managing that information.
Patient information is directly collected by our customers and recorded on various screens in the software. The data is hosted on the customer’s local servers or in a secure cloud environment. ABELSoft acts as a service provider or agent of the customer, and thus only indirectly collects patient information or is provided with access to this information if required to support the customer, as outlined in the next section of this policy. Thus, the customer always has full knowledge of any temporary collection of or access to patient information by ABELSoft. ABELSoft relies entirely on the patient’s treating physician/dentist to obtain consent for the collection of patient information.
Patient information is used or made accessible to ABELSoft for one or more of the following specific purposes:
- to convert the customer’s patient data into a format compatible with the use of the software;
- to provide support services on an as-needed basis, and assist customers with any technical difficulties they may experience when using the software;
- to securely host and maintain patient data on behalf of a client, if hosting services are required;
- to provide secure back-up services to the client as requested;
- to meet any legal and regulatory requirements that are imposed upon ABELSoft from time to time, or to bring or defend against legal actions;
- For such other reasonable purposes for which consent has been obtained, or as otherwise permitted or required by law.
Patient information is shared or made accessible to third parties only to the extent required to provide customers with our software and services, and to comply with legal requirements. We may share patient information in the following circumstances:
- as directed by our customers in writing;
- with our partners or service providers who assist us with servicing customers, such as by providing hosting or data back-up services. These trusted entities implement best practice security standards;
- to a court, administrative tribunal, governmental authority or other body authorized to compel the disclosure of patient information; for the purpose of complying with legal requirements such as a law, regulation, search warrant, subpoena, or court or administrative order; or as otherwise required or permitted by applicable law.
ABELSoft acknowledges that a data security breach could result in potential harm to individuals whose information is entrusted to ABELSoft. Thus, we have implemented critical physical, organizational and technical measures to guard against unauthorized or unlawful access to the patient information we manage and store. We have also taken steps to avoid accidental loss or destruction of, or damage to, patient information. While no system is completely secure, the measures implemented by ABELSoft significantly reduce the likelihood of a data security breach.
Here are some examples of the security controls we have in place:
- Secure office premises;
- Locked filing cabinets and a secure shredding practice for any paper records;
- The use of encryption for data in transit and at rest when patient information is required for support purposes;
- Firewalls, anti-virus programs and robust authentication processes, including complex passwords and two-factor authentication, for access to electronic records;
- Limited access to patient information by employees who need the information to perform their work-related duties;
- The use of sophisticated data centers with effective physical and logical data security controls;
- Training initiatives and regular reminders to raise awareness amongst staff of their data protection responsibilities; and
- Regular reviews of privacy compliance and best practice initiatives.
Here are some examples of the security controls built into ABELSoft’s software:
- Role-based security controls are in place. For example, restrictions are in place for who is able to view personal health information, whether added by a patient (e.g. a health history form) or a provider (e.g. clinical notes);
- Strong passwords are enforced by the software with specific complexity rules such as a minimum length of 8 characters and a mix of letters and numbers/special characters;
- When the client relies on ABELSoft for data hosting in a data centre or in the cloud, end-to-end encryption is used to secure data in transit and at rest;
- Easily accessible audit logs to investigate read/write activity at the record-level for screens containing personal health information, searchable by patient, user or date.
In addition, we recommend that customers do their part in preventing unauthorized access to patient information. For example, customers should enforce that passwords never be shared or written down. Also, our customers are responsible for ensuring users log in using unique usernames to allow transparency of their actions. ABELSoft is not liable for any unauthorized access to patient information that is beyond our reasonable control.
In the context of offering support services, our support technicians may require access to customer systems. In most cases, the customer’s concerns can be addressed without collecting patient information. However, if limited patient information must be collected from our customers’ servers for support purposes, this data is only kept long enough to resolve the support case, and is then diligently destroyed.
In some contexts, such as complex support cases or in the context of converting a customer’s database so it is in a format suitable for the software, more extensive patient information may need to be copied to, and stored on, ABELSoft’s secure servers. In these circumstances, once the data is no longer required, it is securely destroyed from our servers. Regular auto-purging of data also ensures that data is not inadvertently retained for lengthy periods of time.
Development and testing work conducted by ABELSoft, as we enhance our software or offer additional features to our customers, only takes place using dummy or fully scrambled data that does not identify a real patient.
If back-up services are provided by ABELSoft, patient data is retained in and can be restored from secure back-ups. Upon written request and confirmation, ABELSoft will make reasonable efforts to assist a client meet its data retention and destruction schedules. Keep in mind however that data may persist in back-up storage spaces for a period of time before being overwritten.
ABELSoft takes privacy complaints very seriously and has a procedure in place for escalating and managing any privacy related concerns to ensure that they are responded to in a timely and effective manner. Any suspected privacy breach must be escalated internally to ABELSoft’s Privacy Officer who oversees the containment, investigation and corrective actions for the breach situation, as well as timely notification to the customer.
Any inquires, concerns or complaints regarding privacy should be directed to:
3310 South Service Rd., Unit 101
Burlington, ON L7N 3M6
Your concerns will receive prompt attention. Our Privacy Office can also provide you with more detailed information about ABELSoft’s policies and practices. Patients who may contact us for access to their own information will be directed to their treating physician or dentist. /p>
Keep in mind that e-mail is not a secure form of communication, so never send confidential information to us this way.
Thank you for continued trust in ABELSoft.