Skip to main content
All CollectionsCompliance
Freed’s Compliance with Canadian Privacy Laws
Freed’s Compliance with Canadian Privacy Laws
Updated over 5 months ago

Freed’s Compliance with Canadian Privacy Laws with regard to Patient Health Information

Updated: February 2024

Based on a legal review by attorneys in Canada, the following items should be noted with regard to Freed Inc.’s compliance with federal and provincial laws and regulations in Ontario and British Columbia.

Data residency

  • Federal and provincial: Canada’s federal privacy laws and the provincial privacy laws applicable to Freed in BC and Ontario do not contain restrictions regarding data residency, which means that personal information can be retained and stored outside of Canada though it’s required that the information be sufficiently protected. Data security and encryption methods that comply with US SOC 2 and HIPAA standards are deemed sufficiently protected.

Consent

  • Federal and provincial: There are requirements regarding individual consent found in federal and provincial privacy laws. Canadian customers of Freed are recommended to gain consent from their patients to use an AI scribe service. We can share a recommended best practice consent form if you’d like.

Breach notification

  • Federal: Canada’s federal privacy legislation contains breach notification requirements.

  • BC: BC doesn’t contain this requirement for private organizations, but the BC privacy commissioner recommends that breaches be reported in certain circumstances.

  • Ontario: Ontario’s health privacy legislation contains breach notification requirements that would likely apply to prospective customers in Ontario and they may want to flow down these requirements to you.

  • Freed is required to provide US customers with breach notifications, and will do the same for Canadian customers.

Accountability

  • Federal and BC: The federal privacy laws and BC privacy laws require designating an individual who is responsible for privacy compliance. Their name or title and contact information must be made publicly available. These laws also require developing and putting into practice policies and procedures to protect personal information and receive and respond to complaints. There are similar requirements in Ontario that would likely apply to prospective customers in Ontario.

  • Freed’s Chief Financial Officer and Chief Technology Officer together fulfill the role of Compliance Officer for the company. Their contact information is shared with Canadian customers.

Safeguards

  • Federal and BC: The federal privacy laws and BC privacy laws require Freed to use reasonable safeguards to protect personal information. There are similar requirements under Ontario’s privacy laws that can be flowed down from Canadian customers to Freed.

  • The safeguards should address physical security, technological security and administrative controls depending on the sensitivity of the information. Physical security includes restricting access to offices. Technological security includes using passwords, encryption. Administrative measures include limiting access on a "need to know" basis. Yes, being SOC2 compliant should cover you here.

  • A detailed document covering our security protocols, encryption methods, technology infrastructure, and related items can be shared separately.

Retention

  • Federal and BC: The federal privacy laws and BC privacy laws require keeping personal information only for as long as necessary to meet the original purposes unless required longer for legal or business purposes.

  • Freed has a default record (AI-generated notes) retention period of 30 days. This default period can be increased or decreased to any time period based on customer requirements.

Access and Correction

  • All: Under all three privacy laws, individuals have a right to access their health records with some exceptions. Individuals may also request correction of their records.

  • Freed-generated Patient Instructions (after-visit summaries) can be shared directly with patients. Patients would be able to contact their clinician to request edits, and the clinician can make the requested adjustments. This workflow meets the standards of Canadian authorities.

Oversight and non-compliance

  • All: The federal and provincial privacy laws are overseen by federal and provincial privacy commissioners, respectively. They are responsible for investigating complaints and encouraging compliance. In both Ontario and British Columbia, the commissioner has the power to make binding orders. This power is different from the federal commissioner’s recommendatory role. Ontario’s privacy commissioner also has the power to impose administrative monetary penalties for non-compliance.

  • Ontario: There are some specific requirements in Ontario that apply to service providers like Freed that allow health organizations to handle personal health information electronically. These requirements would restrict Freed from the following activities; Freed complies with each of these requirements:

    • Using personal health information to which it has access for purposes beyond providing its services.

    • Disclosing personal health information to which it has access in the course of providing the services.

    • Permitting anyone acting on its behalf to access information unless they comply with the above restrictions.

  • Freed complies with each of these requirements.

Did this answer your question?