PHIPA Service Provider & Data Processing Practices
The following describes how EMERGE Healthcare Co. (“EMERGE”) processes Personal Information and Personal Health Information (“PHI”) in a manner aligned with the Personal Health Information Protection Act, 2004 (Ontario) (“PHIPA”) and to support our customers’ regulatory compliance.
1. Definitions
For clarity in this summary:- PHI means Personal Health Information as defined under PHIPA.
- Personal Information means any information about an identifiable individual and includes PHI where applicable.
- Processing means any collection, access, use, disclosure, retention, modification, storage, safeguarding, or disposal of Personal Information.
- Security Incident means a reasonably suspected or confirmed unauthorized access, loss, or disclosure of Personal Information.
- Sub-processor means any third party engaged by EMERGE to Process Personal Information in connection with the delivery of our services.
2. Role Under PHIPA
When providing services to a healthcare provider or clinic that is a Health Information Custodian under PHIPA, EMERGE acts as a service provider. We Process PHI only on behalf of, and under the instructions of, the customer for the purposes of delivering the agreed services.EMERGE does not assume ownership, custodianship, or independent rights over PHI. All PHI remains under the effective control of the healthcare provider or clinic at all times.
3. Permitted Processing
EMERGE will Process Personal Information, including PHI, only as required to:- provide and support the services agreed with the customer;
- carry out the customer’s documented instructions;
- comply with applicable law.
We limit our Processing to what is reasonably necessary for these purposes.
4. Personnel Access & Confidentiality
Only authorized EMERGE personnel, agents, or contractors who require access to Personal Information to deliver or support services may access such information. All such personnel are bound by confidentiality obligations and training appropriate to their roles.5. Sub-processors
We may engage qualified Sub-processors (e.g., hosting providers, infrastructure services) to support service delivery. We ensure that:- Sub-processors only Process Personal Information as necessary to provide the services; and
- Sub-processors are contractually obligated to protect Personal Information at levels consistent with PHIPA and this summary.
6. Individual Requests & Inquiries
Under PHIPA, individuals submit requests to access or correct PHI to the healthcare provider (Health Information Custodian). If EMERGE receives such a request directly, we will direct the requester to the appropriate custodian and provide reasonable support. If EMERGE receives a complaint or inquiry about Personal Information, we will promptly notify the customer and reasonably cooperate as needed.7. Legally Compelled Disclosure
If required by law (e.g., subpoena or court order), EMERGE may be compelled to disclose Personal Information. In such cases, we will notify the customer where permitted and limit disclosure to the minimum required by law.- encryption in transit and at rest;
- role-based access controls;
- audit logging and monitoring;
- secure hosting and infrastructure;
- internal policies and access restrictions.
- notify the customer as soon as reasonably feasible after becoming aware;
- provide available information to support the customer’s compliance obligations; and
- take reasonable steps to investigate, mitigate, and prevent further incidents.
- Information collected before it is associated with a healthcare provider is processed in EMERGE’s capacity as a platform provider in accordance with our Privacy Policy and applicable privacy law.