Privacy Policy

MedEssist Privacy Policy

Last Updated June 9, 2022

At MedEssist, we value the trust you have in us to protect the data and privacy of your pharmacy and of your patients. This document describes how we handle data privacy and security to ensure compliance to federal and provincial regulations such as PIPEDA, PHIPA, PIPA, and others.

Data collected within MedEssist is organized as either Personal Information (PI) and Personal Health Information (PHI). Personal Information (PI) is general information used to facilitate communications such as Name, Date of Birth, Email, and Telephone Number. Personal Health Information (PHI) is the information collected that is required for the purposes of providing a requested health service. MedEssist only collects information that is required for the purposes of providing a requested health service. However, individual health care providers can utilize MedEssist to create and/or customize additional data collection. MedEssist does not monitor or control the communications or any additional data collection customized by health care providers.

Our Data and Security Partner

Google Cloud is our data and security partner. Our data is stored in Montreal Quebec and encrypted in transit and at rest. We have elected to work with Google to ensure your patients have access to their industry leading security systems trusted by some of the largest healthcare organizations worldwide and within Canada. Google cloud is used by leading pharmacy organizations such as Mckesson, Telus Health, and Shoppers Drug Mart. 

Google Cloud Certifications

Google Cloud has a mature and organized system for managing healthcare data within Canada. Please refer to the following white paper for more information:

Ontario's Personal Health Information App

MedEssist utilizes Twilio for SMS Messaging and emails. However, no PMI is sent or stored when utilizing these services. Pharmacies may connect a video conferencing solution to their MedEssist account. We recommend Zoom for Healthcare as this service is widely used within the healthcare system. Each pharmacy must ensure that if they elect to utilize another video conferencing solution, that it is accepted under any provincial guidelines. 

How Data is Accessed
MedEssist is carefully designed to maximize usability while ensuring data is stored securely. 

  • There are 2 collections in which patient information is stored. One collection contains only PI and is utilized by the public facing access points such as or While a second collection which contains PHI is not accessible from any public access point. 
  • Patients cannot access their own documentation after it has been submitted. They can only erase or redo their documentation from scratch or ask the pharmacy to revise it on their behalf. Therefore when patients receive an email to fill documentation or to book an appointment, even if their email is compromised or sent to the wrong patient, no PHI information is accessible. 
  • Patients do not make passwords to use any service. This makes our service much easier to use and more secure as we do not store patient passwords.
  • If it is necessary for PMI to be accessible to the public (i.e. test results that need to be accessible by a third party.), MedEssist generates passwords to ensure that the passwords are secure and difficult to decrypt.

How Data is Deleted
MedEssist is designed to give pharmacies and their patients as much control over their data as possible. MedEssist stores PI and PMI only with the consent of the pharmacy and their patients. Data can be deleted or modified in the following 3 ways:

1) Patients can delete their own data with a link at the bottom of any email correspondence through MedEssist. This will delete all instances of their record including the pharmacy’s access to this record.

2) Pharmacies can delete any patient data from dashboard view. This will delete all instances of this record. Patients can request their data be modified or deleted by contacting their respective pharmacy.

3) Patients can request their data be deleted by contacting our privacy officer Michael Do at

Organizational Policies

MedEssist has a number of internal protocols to ensure data is safeguarded:

  • Full database access is restricted to 2 lead engineers (Victor Yu and Parth Desai) or to Canadian healthcare providers with technical training that are employed by MedEssist such as pharmacists or registered pharmacy technicians. 
  • If pharmacies need assistance with their dashboard, MedEssist support staff must ask for consent to access their view by asking for their password each time. MedEssist support staff must login only through a private/incognito browser. Pharmacies are able to reset their password with a link on the login page of MedEssist.
  • All software development is conducted in Canada. 
  • MedEssist will not contact patients directly without the consent of the pharmacy other than for technical issues. 
  • Passwords created by pharmacies are stored and handled by Google Authentication to ensure no MedEssist staff can access pharmacy accounts without consent. 

Privacy Policy:

MedEssist’s Privacy Officer is Michael Do. He is a licensed Pharmacist in Ontario, Canada. He is responsible for approving all components of MedEssist in which information is collected to ensure they follow our privacy policy. He can be contacted by email through to assist with any questions related to privacy by pharmacies or patients.

  • MedEssist only collects information that is essential to providing the requested health service.
  • MedEssist protects the confidentiality, security, and integrity of all information in transit and when stored within reasonable means.
  • MedEssist does not share or sell any PI or PMI with any third party. Patients' data is shared with only the pharmacy that they have selected. Anonymized data may be shared with third parties for research or educational purposes, or to improve services.
  • Anonymized data will not include any patient identifiers such as name, address, date of birth, health services numbers, telephone, email, or any other personally unique properties. 
  • MedEssist will notify all affected parties in case of a data breach and take appropriate steps to rectify the problem as soon as possible. 

Procedures in Case of a Data Breach
In the case of a data breach is identified or reported. MedEssist’s Privacy Officer Michael Do will implement a 4 step process to manage the data breach:

1) MedEssist will coordinate with its data and communications partners (Google Cloud and Twilio) to assess the scale and cause of the data breach.

2) If the cause of the data breach can be corrected within MedEssist’s code. A fix will be created and deployed as soon as possible.

3) All affected pharmacies and/or patients that were affected will be notified by email or phone call of what information may have been exposed. Instructions on how to safeguard their data (i.e. resetting passwords) will be provided.
4) MedEssist will review all internal policies and implement any changes required to prevent future data breaches.