Everything You Need To Know: OnCall Health's Privacy Policy

Jul 02, 2019

A core value at OnCall Health is to provide private and secure service to all who choose to use our platform. This goes for data across all the features on our platform, including the latest Analytics feature, which offers a tracking tool and visual summary on all patient-provider activities. OnCall Health supports access to mental health services, and strives to ensure all of the practitioners and patients who use our platform may access such services without worrying about agreeing to policies that are buried in complex language or jargon. Additionally, you can learn about the ethics of virtual care here.

Let’s take a look at OnCall Health’s Privacy Policy, piece-by-piece broken down. Before we get in to the separate sections, let’s take a moment to briefly define two key terms:

  1. Personal Information: Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form i.e. age, name, ID numbers, employee files, credit cards, and more.
  2. Personal Health Information: Personal Health Information is defined as identifying information about an individual, if the information relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family, is the individual’s health number, and more. 

Now, let’s take a look at how OnCall Health operates in compliance with privacy laws to protect patient and provider information (click to learn more about compliance with PHIPA, PIPEDA, or HIPAA)

The OnCall Health Privacy Policy is broken down into 6 sections:

  • Commitment
  • Collected Information
  • Protected Information
  • Use of Information
  • Breach Protocol
  • Consent

Commitment

OnCall Health’s commitment to its platform’s users can be briefly outlined as such:

OnCall Health requires your express permission before using your information. Otherwise, we don’t.

 

Collected Information:

From Healthcare Providers: Name, business, contact information, specialization.

From Patients: Name, email address, appointment date and time, “notes for patient” (added by the provider after the appointment), secure file attachments sent through the platform.

And that’s all.  

 

Protected Information:

There are 3 levels of protection for all information stored by OnCall Health:

  • Physical Safeguards
  • Technological Safeguards
  • Administrative Measures

Let’s take a brief look at each of these sections to understand how OnCall Health protects information.

 

Physical Safeguards:

There are 5 main physical safeguards in place to keep information in OnCall Health’s custody safe.

  1. Access to information storage areas requires authorization
  2. Authorization access is protected by a code
  3. Nothing leaves the secure premises
  4. Backups for information are locked
  5. Information is not stored on paper

 

Technological Safeguards:

In compliance with relevant privacy requirements and legislation, all information is stored on local servers, i.e. a Canadian patient information is stored on servers in Canada, while data related to an American patient and provider is stored securely on American servers.

OnCall Health’s servers are operated by Amazon Web Services Secure Cloud (AWS). Effectively, AWS is a highly “secure and governed cloud storage platform”. AWS is certified as compliant with ISO Standard 27018 Code of Practice for PII protection in public clouds.

Wow. What does that mean? (Here is a longer, and better description of what this means.)

ISO (International Organization for Standardization) Standard 27018 Code of Practice is relevant to the protection of personally identifiable information (like personal health information) in the public cloud computing environment. This Standard is enforced by the ISO (a complete version of this standard can be found here). Effectively, this means that any patient information stored on OnCall Health’s servers is secure, and backed by the ISO.

Okay, so the servers are secure. But, what about the video sessions themselves?

Secure video and text consultation are encrypted with the AES cipher using 256-bit keys. Video sessions are also NEVER recorded or stored anywhere.

More tech jargon! Yay!


The AES cipher is the Advanced Encryption Standard. Now, anyone who saw the Alan Turing biopic, The Imitation Game (2014), will remember that a cipher is a code which jumbles information, so no one can read it but the person with the tool to unscramble the code (called a key). This process is a type of encryption. The AES uses multiple layers of encryption to protect information stored on OnCall Health servers protecting information. The code to understand the cipher is never stored anywhere, and is always randomized. Through this process, OnCall Health is encrypted end-to-end, providing a high level of security for our clients.  

Make sense? Good!

Once information is no longer necessary to provide service, all personal and personal health information is destroyed or anonymized. Only authorized personnel are able to access the information that is absolutely necessary to deliver the service.

 

Administrative Measures:

All privacy matters are overseen by OnCall Health’s Chief Privacy & Security Officer (CPSO). The CPSO is responsible for a variety of safety and privacy initiatives including completing background checks on all employees, undertaking threat and risk assessments on a regular basis, receiving reports on and reporting on privacy compliance, granting access to OnCall Health data.

Privacy policies are continually updated and audited by a third party.

 

Use of Information:

OnCall Health does NOT

Use any personal information or personal health information without express consent.

Sell any personal information or personal health information or make any information public in exchange for remuneration.

OnCall Health DOES

Seek out user’s explicit consent prior to opting anyone in to receiving relevant information on products, services, or promotions.

 

Breach Protocol:

OnCall Health has taken all reasonable measures to prevent breaches. Our response procedure is simple, keeping our users informed by notifying them at the first reasonable opportunity, and applying remedial measures immediately.

 

Consent:

This Privacy Policy in its full form is available here.

All users of the OnCall Health platform must consent to this policy prior to use.

We created our privacy policy with simplicity in mind and to be intentionally transparent about the way we protect clients’ information. Patient privacy and simplifying security compliance for healthcare providers will always be our top priorities. 

For more information about OnCall Health’s Privacy Policy or standards, please contact Chief Privacy Officer, Nicholas Chepesiuk.

Topics: OnCall Updates