Last Updated June 9, 2022
At MedEssist, we value the trust you have in us to protect the data and privacy of your pharmacy and of your patients. This document describes how we handle data privacy and security to ensure compliance to federal and provincial regulations such as PIPEDA, PHIPA, PIPA, and others.
Data collected within MedEssist is organized as either Personal Information (PI) and Personal Health Information (PHI). Personal Information (PI) is general information used to facilitate communications such as Name, Date of Birth, Email, and Telephone Number. Personal Health Information (PHI) is the information collected that is required for the purposes of providing a requested health service. MedEssist only collects information that is required for the purposes of providing a requested health service. However, individual health care providers can utilize MedEssist to create and/or customize additional data collection. MedEssist does not monitor or control the communications or any additional data collection customized by health care providers.
Our Data and Security Partner
Google Cloud is our data and security partner. Our data is stored in Montreal Quebec and encrypted in transit and at rest. We have elected to work with Google to ensure your patients have access to their industry leading security systems trusted by some of the largest healthcare organizations worldwide and within Canada. Google cloud is used by leading pharmacy organizations such as Mckesson, Telus Health, and Shoppers Drug Mart.
Google Cloud has a mature and organized system for managing healthcare data within Canada. Please refer to the following white paper for more information:
MedEssist utilizes Twilio for SMS Messaging and emails. However, no PMI is sent or stored when utilizing these services. Pharmacies may connect a video conferencing solution to their MedEssist account. We recommend Zoom for Healthcare as this service is widely used within the healthcare system. Each pharmacy must ensure that if they elect to utilize another video conferencing solution, that it is accepted under any provincial guidelines.
How Data is Accessed
MedEssist is carefully designed to maximize usability while ensuring data is stored securely.
How Data is Deleted
MedEssist is designed to give pharmacies and their patients as much control over their data as possible. MedEssist stores PI and PMI only with the consent of the pharmacy and their patients. Data can be deleted or modified in the following 3 ways:
1) Patients can delete their own data with a link at the bottom of any email correspondence through MedEssist. This will delete all instances of their record including the pharmacy’s access to this record.
2) Pharmacies can delete any patient data from dashboard view. This will delete all instances of this record. Patients can request their data be modified or deleted by contacting their respective pharmacy.
3) Patients can request their data be deleted by contacting our privacy officer Michael Do at firstname.lastname@example.org
MedEssist has a number of internal protocols to ensure data is safeguarded:
Procedures in Case of a Data Breach
In the case of a data breach is identified or reported. MedEssist’s Privacy Officer Michael Do will implement a 4 step process to manage the data breach:
1) MedEssist will coordinate with its data and communications partners (Google Cloud and Twilio) to assess the scale and cause of the data breach.
2) If the cause of the data breach can be corrected within MedEssist’s code. A fix will be created and deployed as soon as possible.
3) All affected pharmacies and/or patients that were affected will be notified by email or phone call of what information may have been exposed. Instructions on how to safeguard their data (i.e. resetting passwords) will be provided.
4) MedEssist will review all internal policies and implement any changes required to prevent future data breaches.