Jewish Addiction Community Services Toronto
Privacy Policy  

Last updated: May 1, 2022 

Jewish Addiction Community Services (JACS) Toronto and its clinicians who provide clinical services (“JACS”, “we” “our” and “us”) are committed to protecting the privacy and confidentiality of the personal health information (“PHI”) of its clients.

Scope of Privacy Policy

This Privacy Policy describes how JACS collects, uses, discloses, and otherwise manages your PHI in connection with a client’s use and access to the JACS website at https://jacstoronto.org/ (“Website”), the booking services and therapy/counselling sessions offered via the video conferencing application and web platform provided by Cliniko (the “JACS Portal”) and the provision of clinical services by its clinicians in person, electronically or by any other means.

This Privacy Policy should be reviewed with our Terms of Use.

Third Party Vendors

JACS has contracted with a third-party vendor, Cliniko, a software company for the JACS portal to:

• enable JACS clinicians to provide clinical services by way of video conferencing;
• allow clients to book appointments; and
• house JACS’ client information (i.e. clinical notes made from video conferencing, intake forms).

For more information on Cliniko’s privacy practices, please see the Cliniko’s privacy policies and practices: https://www.cliniko.com/policies/privacy/

JACS also uses Zoom Video Communications (“Zoom”) to provide clinical services (i.e. support groups or group counselling) by way of videoconferencing. For more information on Zoom’s privacy policies and practices, please see https://explore.zoom.us/en/privacy/.

If you do not agree with Cliniko’s privacy policies, please stop using the JACS Portal. If you do not agree with Zoom’s privacy policies and practices, please stop using Zoom.  In these circumstances, please notify JACS to enable clinicians to determine alternative methods to book appointments and provide clinical services (as applicable).

Privacy Principles

JACS is a health information custodian (“HIC”) under Ontario’s Personal Health Information Protection Act (“PHIPA”) and has adopted the following 10 privacy principles in the collection, use, and disclosure of your PHI in accordance with PHIPA.

What is Personal Health Information?

PHI as defined in PHIPA means identifying information about a client in oral or recorded form, which includes but is not limited to the physical or mental health of a client; health history of a client’s family; provision of health care; payments or eligibility for coverage for health care; donations of any bodily part of bodily substance or from the testing or examination of any such body part or substance; health care number; or identifies the client’s substitute decision-maker.

Principle 1 – Accountability for PHI

JACS, as a HIC, is responsible for PHI it holds on behalf of its clients. JACS will collect, use, and disclose your PHI only with your consent or otherwise permitted or required by law.

JACS has designed a Privacy Officer to be accountable for our compliance with these principles and to oversee questions related to privacy and this Privacy Policy. If you have questions or require further information about this Privacy Policy, please contact JACS’ Privacy Officer:

Principle 2 – Identifying Purposes for PHI

JACS only collect your PHI with your consent, or as may be permitted or required by law. JACS will not collect PHI more than necessary to achieve its purposes.

Purposes

The main purposes for which JACS generally use PHI are:

• Providing direct clinical and professional care, which includes but is not limited to therapy, counselling, treatment, and services;
• Administration, and management of programs and services;
• Scheduling appointments;
• Receipt and processing of donations;
• Provision of emails and newsletters about upcoming programs and services, initiatives, events, fundraising and schedule changes;
• Communicating with you and responding to your requests for information (i.e. responding to email inquiries about our services);
• Billing/payments, administration within JACS and for planning and management of JACS programs and services;
• Research, teaching, statistical reporting, fundraising, and marketing purposes;
• Quality purposes, which include but is not limited to one or more of evaluating, measuring and analyzing whether JACS is meeting its standards in providing services and programs;
• Risk management, error management or for the purposes of activities to improve or maintain the quality of care or to improve or maintain the quality of any related programs or services;
• Disposing of information or modifying the information to conceal the identity of the individual;
• Determine eligibility for insurance coverage and payment if you provide such information to JACS;
• Training of clinicians, staffs, students, and trainees;
• Meeting its legal obligations as otherwise permitted or required by law;
• Administrative purposes related to any of the above purposes; and
• For the purposes described herein and for all functions reasonably necessary for carrying out those purposes.

JACS does not sell, rent, or trade its mailing list or PHI. Donor information is used by JACS for charitable purposes only as described above and will not be used by any entity outside of JACS.

When PHI that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless the new purpose is permitted or required by law, consent will be required before the information can be used for that purpose.

Principle 3 – Consent for the Collection, Use and Disclosure of PHI

Under PHIPA, HICs require consent in order to collect, use, or disclose PHI. However, there are some cases where JACS may collect, use, or disclose PHI without consent, as permitted or required by law.

Express consent

Should you wish your lawyer, insurance company, family, employer, landlord or other third-party individuals or agencies (non-health care providers) to have access to your health record at JACS, you must provide verbal or written consent to this effect. Access and correction requests are discussed further below.

Implied consent (Disclosures to other health care providers for health care purposes)

Client information may also be released to a client’s other health care providers for health care purposes (within the “circle of care”) without the express written or verbal consent of the client as long as it is reasonable in the circumstances to believe that the client wants the information shared with the other health care providers. No client information will be released to other health care providers if a client has stated he/she does not want the information shared (i.e., by way of the placement of a “lockbox” on his/her health records).

A client’s request for treatment constitutes implied consent to use and disclose his/her PHI for health care purposes, unless the client expressly instructs otherwise.

No Consent

There are certain activities for which consent is not required to use or disclose PHI. These activities are permitted or required by law. For example, JACS does not need consent from clients to (this is not an exhaustive list):

• Plan, administer and manage our internal operations, programs, and services;
• Get paid;
• Engage in quality improvement, error management, and risk management activities;
• Participate in the analysis, administration and management of our services and the health care system;
• Engage in research (subject to certain rules);
• Teach, train and educate members of our team and others;
• Compile statistics for internal or mandatory external reporting;
• Respond to legal proceedings; or
• Comply with mandatory reporting obligations.

Withholding or Withdrawing Consent

If consent is sought, a client may choose not to give consent (“withholding consent”). If consent is given, a client may withdraw consent at any time, but the withdrawal cannot be retroactive. The withdrawal may also be subject to legal or contractual restrictions and reasonable notice.

Lockbox

PHIPA gives clients the opportunity to restrict access to any PHI or their entire health record by their health care providers or by external health care providers. Although the term “lockbox” is not defined in PHIPA, lockbox is commonly used to refer to a client’s ability to withdraw or withhold consent for the use or disclosure of their PHI, but only for health care purposes. A lockbox does not affect the other uses and disclosures under PHIPA that are permitted or required, without consent, including the authority for JACS to disclose PHI to reduce or eliminate a significant risk of serious bodily harm.

Principle 4 – Limiting Collection of PHI

The amount and type of PHI collected by the JACS is limited to that which is necessary to fulfill the purposes identified. PHI is collected directly from the client, unless PHIPA or another law permits or requires collection from third parties. PHI is only collected as needed to fulfill the health care role of individual staff.

If you wish to opt out of receiving communications from JACS, you may do so quickly and easily by clicking Unsubscribe link at the bottom of our email communications. Alternatively, you may contact our Privacy Officer.

Principle 5 – Limiting Use, Disclosure and Retention of PHI

Use

PHI is not used for purposes other than those for which it was collected, except with the consent of the client or as permitted or required by law. JACS clinicians use the information within the limits of their individual roles. The clinicians do not read, look at, receive, or otherwise use PHI unless they have a legitimate “need to know” as part of their role.

Disclosure

PHI is not disclosed for purposes other than those for which it was collected, except with the consent of the client or as permitted or required by law. JACS may disclose PHI to its agents, such as Cliniko, for the provision of direct care.

Retention

Health records are retained as required by law and professional regulations and to fulfill the purposes for which PHI is collected. PHI that is no longer required to be retained by law, or to fulfill the identified purposes is securely destroyed, erased, or made anonymous.

Principle 6 – Accuracy of PHI

JACS will take reasonable steps to ensure that PHI it hold is as accurate, complete, and up to date as is necessary to minimize the possibility that inappropriate information may be used to make a decision about a client.

Principle 7 – Safeguards for PHI

JACS have put in place safeguards to protect the security and confidentiality of the PHI in its custody and control to protect against theft, loss, and unauthorized use or disclosure, which includes but is not limited to:

• Physical safeguards (i.e. locked doors and cabinets, and restricted access to servers);
• Organizational safeguards (i.e. permitting access to PHI by staff on a “need-to-know” basis only and privacy training); and
• Technological safeguards (i.e. use of passwords, encryption, firewalls, and audits)

JACS require anyone who collects, uses, or discloses PHI on our behalf to be aware of the importance of maintaining the confidentiality of PHI. This is done through the signing of confidentiality agreements, privacy training, and contractual means.

For the safeguarding of PHI that is collected, used, and managed in the JACS Portal, Zoom or by way of email, JACS has implemented the following safeguards, which includes but is not limited to:

• provide the client with the JACS’ Email and Videoconference Policy and obtain client consent to communicate via electronic means;
• verification and authentication of a client’s identity and email addresses before engaging in an email exchange;
• provide a confidentiality notice in the email with instructions to follow if the email is received in error;
• acknowledge receipt of e-mails on a reasonably prompt basis;
• minimize or avoid disclosing PHI in subject lines and message content as much as possible;
• ensure there are no unauthorized persons attending or within hearing or viewing distance during the provision of client services by videoconference; and
• ensure the videoconferences are not recorded.

Care is used in the secure disposal or destruction of PHI, to prevent unauthorized parties from gaining access to the information. Privacy breach protocols are in place to address any theft, loss, or unauthorized access to client’s PHI.  If JACS becomes aware of a privacy breach, it will promptly respond to the breach. It will work collaboratively with applicable groups to minimize the effects of the breach and prevent future breaches.

It is important to note that no physical or electronic security system is impenetrable. E-mail is not an entirely secure medium, and you should be aware of this when contacting us to send personal or confidential information. JACS cannot guarantee the security of our and any third-party service provider’s servers, systems, platforms, hardware, or databases.  Information provided to JACS may be intercepted while being transmitted over the Internet. Any transmission of information by you to us via our Website, JACS Portal, Zoom, email or any other forms of electronic communication is at your own risk.

Principle 8 – Openness about PHI

Information about our policies and practices relating to our management of PHI are available to the public, including:

• Contact information for our Privacy Officer, to whom complaints or inquiries can be made;
• The process for obtaining access to PHI we hold, and making requests for its correction;
• A description of the type of PHI we hold, including a general account of our uses and disclosures; and
• A description of how a client may make a complaint to the Information and Privacy Commissioner of Ontario.

Principle 9 –Access and Correction Requests to PHI

Clients may make written requests to have access to their records of PHI to be corrected if it is inaccurate or incomplete.

JACS will respond to a client’s request for access or request to correct inaccurate or incomplete records of PHI within reasonable timelines and costs to the client, as governed by law. In certain situations, JACS may not be able to provide access to all of the PHI it holds about a client, such as where the access could reasonably be expected to result in a risk of serious harm or the information is subject to legal privilege. JACS may also not be able to correct a record in certain situations.

Principle 10 – Challenging Compliance with Privacy Policies and Practices

Any person may ask questions or challenge our compliance with this Privacy Policy or with applicable privacy legislation by contacting our privacy officer.  If we are not able to address your privacy concerns to your satisfaction, you may contact the Information and Privacy Commissioner of Ontario by writing to or calling:

Changes to our Privacy Policy

We may change and update this Privacy Policy from time to time without notice to you.  You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.