Privacy and Security
NorthShore ADHD and Addiction Clinic abides by:
The American Health Information Portability and Accountability Act (HIPAA)
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
The European Union General Data Protection Regulations (GDPR)
These set out the ground rules for how businesses must handle personal health information in the course of commercial activity.
Our adherence to these acts is our acknowledgement that NorthShore ADHD and Addiction Clinic has an overriding obligation to ensure that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would deem appropriate given the circumstances.
NorthShore ADHD and Addiction Clinic is responsible for the protection and fair handling of personal information at all times. This applies throughout our organization and in dealings with third parties. We believe that care in the handling of personal information is essential to continued consumer confidence and good will.
We will only use your personal information in order to verify your identity or meet regulatory requirements
The only one who can connect your mental health information and your name is you.
2.1 The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information. Our consent policy is intended to give you the who, what, where, when, how, risk and benefits of your participation. Our goal is to make sure that you know what you are consenting to, have had time to make an informed decision and the opportunity to ask questions.
2.2 Consent can only be provided in writing, electronically or through an authorized representative.
2.3 There are no cases of implied consent.
2.4 You can withhold or withdraw your consent at any time.
2.5 Refusing or withdrawing consent will not affect your care in any way.
3.1 We will only use or disclose your personal information as mentioned above and only when necessary to fulfill the purposes identified at the time of collection, which would include contacting you to offer you the opportunity to connect to care.
3.2 We may be required to disclose your personal information to third parties when...
The disclosure is required by law
In an emergency that threatens an individual's life, health, or personal security
In any situation where child protection would be warranted
3.3 We will not use or disclose your personal information for any additional purpose unless we obtain consent to do so.
3.4 We will ask you for permission to use, store or disclose information in order to do research, improve the treatments we provide or improve the healthcare system.
3.5 We will not sell your de-identified information without your specific consent and a specific reasonable, mutually agreed upon, financial compensation.
Retaining Personal Information
4.1 If we use personal information to make a decision that directly affects you, we will retain that information for at least one year, so that you have a reasonable opportunity to request access to it.
4.2 Subject to policy 4.1, we will retain client, customer, patient personal information only as long as necessary to fulfill the identified purposes above.
5.1 Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used. We will make reasonable efforts to ensure your personal information is accurate and complete, where it may be used to make a decision about you or disclosed to another organization.
5.2 Patients may request correction to their personal information in order to ensure its accuracy and completeness. A request to correct personal information must be made in writing and in sufficient detail to identify the correction being sought.
5.3 If the personal information is demonstrated to be inaccurate or incomplete, we will correct the information as required and send the corrected information to any organization to which we disclosed the personal information. If the correction is not made, we will note the patients’ correction request in the file.
6.1 We are committed to ensuring the security of client, customer and patient personal information in order to protect it from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
6.2 The following security measures will be followed to ensure that patient personal information is appropriately protected, including:
physically securing offices where personal information is held
the use of user IDs, passwords, encryption, firewalls; restricting employee access to personal information as appropriate (i.e., only those that need to know will have access);
contractually requiring any service providers or third parties who requires access, to provide confidentiality agreements or comparable security measures.
6.3 We will use appropriate security measures when destroying patient’s personal information such as shredding documents and permanently deleting electronically stored information.
6.4 We will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security.
7.1 Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Patients have a right to access their personal information, subject to limited exceptions, such as, solicitor-client privilege, disclosure would reveal personal information about another individual, health and safety concerns.
7.2 A request to access personal information must be made in writing and provide sufficient detail to identify the personal information being sought.
7.3 Upon request, we will also tell patients how we use their personal information and to whom it has been disclosed if applicable.
7.4 We will make the requested information available within 30 business days, or provide written notice of an extension where additional time is required to fulfill the request.
7.5 A fee may be charged for providing access to personal information. Where a fee may apply, we will inform the patient of the cost and request further direction from the patient on whether or not we should proceed with the request.
7.6 If a request is refused in full or in part, we will notify the patient in writing, providing the reasons for refusal and the recourse available to the client, customer, member.
8.0 NorthShore ADHD and Addiction Clinic is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
8.1 We will make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
9.0 The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
10.0 The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
10.1 Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
10.2 Personal information must be protected by appropriate security relative to the sensitivity of the information.
11.0 An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.
Questions and Complaints
12.0 The Privacy Officer or designated individual is responsible for ensuring our compliance with this policy and the Personal Information Protection Act.
12.1 Clients, customers, patients should direct any complaints, concerns or questions regarding Epiphany360's compliance in writing to the Privacy Officer. If the Privacy Officer is unable to resolve the concern, the client, customer, patient may also write to the Information and Privacy Commissioner of British Columbia.
NorthShore ADHD and Addiction Clinic Privacy Officer
Ms. Astrid Sherman
Ethical Use of Personal Health Data
Benefits to Stakeholders
The clinician/ counsellor/ collector/ workgroup who assesses mental health
The patient/ student/ user of the program who has their mental health assessed
Secondary users of data (Ministry of Health , Insurance, Employers, School boards, Pharma)
Collect relevant data that can be used primarily for the benefit of the patient/ student/ user and secondarily for the clinician/ counsellor and other stakeholders.
Ensure the accuracy and accessibility of data for the benefit of all users
Ethical collection of data
Welfare and safety of participants when data is used for research
Privacy and security of data in collection, transmission, storage and secondary use
To meet these obligations, we are guided by the following policies, procedures and principles as, documented below.
Canadian Tri-council Policy on Ethical Conduct for Research Involving Humans
Canadian Institutes of Health Research
Natural Sciences and Engineering Research Council of Canada
Social Sciences and Humanities Research Council of Canada, 2014
Experimental Research Informed Consent Policy
Information for Patients
Will you consent to have your anonymized information used for research?
Medical researchers aim to understand why some people become sick and others do not, what happens when people become sick, and how best to care for people who are sick. Obtaining patient information for research purposes is critical to improving the quality of your care and the performance of the health care system.
You can decide whether you want any of your identifiable personal information included in the study outlined below. If you decide to allow your personal information to be used or disclosed internally or to a third party (i.e., the principal investigator) for the study, please sign this consent form.
You are free to withdraw your consent at any time without giving a reason. A decision to withdraw or not to take part will not affect the standard of care you receive. Your wish to remove your patient information will be respected unless your personal information has already been made anonymous and can’t be identified for removal.
By agreeing to allow your information to be part of the study you are giving permission for the principal investigator and his or her institution to collect, use, and disclose your personal information for the purposes of this research study. Any new research purposes will require new written consent from you.
The principal investigator and employing institution will report and publish research findings and conclusions in a manner that will not identify you, and will not include photographs or visual representations contained in your personal records.
The investigator and employing institution will destroy any individual identities associated with the records as soon as the purposes of the research project have been accomplished, and will notify the practice in writing to this effect. Your personal information will be kept confidential and will be safeguarded to ensure no inappropriate uses or disclosures occur.
If you believe your personal information has been inappropriately collected, used, or disclosed without your consent, you may bring the matter to your practice’s privacy officer. If the matter has not been resolved to your satisfaction, you may bring your concern to the College of Physicians and Surgeons of BC, and failing that to the Office of the Information and Privacy Commissioner for BC.
If you have any questions, please contact Dr. Antonio Ocana at
Research Subject Rights
Any person asked to take part as a subject in research involving a medical experiment, or any person asked to consent to such participation on behalf of another, is entitled to receive the following list of rights written in a language in which the person is fluent. This list includes the right to:
1. Be informed of the nature and purpose of the experiment.
2. Be given an explanation of the procedures to be followed in the medical experiment, and any drug or device to be utilized.
3. Be given a description of any attendant discomforts and risks reasonably to be expected from the experiment.
4. Be given an explanation of any benefits to the subject reasonably to be expected from the experiment, if applicable.
5. Be given a disclosure of any appropriate alternative procedures, drugs or devices that might be advantageous to the subject, and their relative risks and benefits.
6. Be informed of the avenues of medical treatment, if any, available to the subject after the experiment if complications should arise.
7. Be given an opportunity to ask any questions concerning the experiment or the procedures involved.
8. Be instructed that consent to participate in the medical experiment may be withdrawn at any time and the subject may discontinue participation in the medical experiment without prejudice.
9. Be given a copy of the signed and dated written consent form. California Subject’s Bill of Rights 08/2011
10. Be given the opportunity to decide to consent or not to consent to a medical experiment without the intervention of any element of force, fraud, deceit, duress, coercion, or undue influence on the subject’s decision.
End-User License Agreement
You must use "the Services" in compliance with, and only as permitted by, applicable law. The use of our Services in conjunction with other tools or resources in furtherance of any of the unacceptable uses described herein is also prohibited.
You are responsible for your conduct, Customer Data, and communications with others while using the Services. You must comply with the following requirements when using the Services. If we become aware of survey content that falls outside the bounds of what is acceptable under this policy, we may remove it and report it. We also take steps to prevent uses of our services that are contrary to the spirit of this policy.
(a) You may not use the Services to commit an unlawful activity; use the Services for activities where use or failure of the Services could lead to physical damage, death, mental harm, or personal injury.
(b) You may not provide any person under the age of 13 with access to the Services.
(c) You may not purchase, use, or access the Services for the purpose of building a competitive product or service or for any other competitive purposes.
(d) You may not misuse our Services by interfering with their normal operation, or attempting to access them using a method other than through the interfaces and instructions that we provide.
(e) You may not circumvent or attempt to circumvent any limitations imposed on your account (such as by opening up a new account to create or distribute a survey, form, application, or questionnaire that we have closed for a violation of our terms or policies).
(f) Unless authorized in writing, you may not probe, scan, or test the vulnerability or security of the Services or any system or network.
(g) Unless authorized , you may not use any automated system or software to extract or scrape data from the websites or other interfaces through which we make our Services available.
(h) You may not deny others access to, or reverse engineer, the Services, or assist anyone else to do so, to the extent such restriction is permitted by law.
(i) You may not store or transmit any viruses, malware, or other types of malicious software, or links to such software, through the Services.
(j) You may not use the Services to infringe the intellectual property rights of others.
(k) Unless authorized in writing, you may not resell or lease the Services.
(l) If your use of the Services requires you to comply with industry-specific regulations applicable to such use, you will be solely responsible for such compliance, unless Epiphany360 has agreed with you in writing otherwise. You may not use the Services in a way that would subject Epiphany360 to those industry-specific regulations without obtaining prior written agreement.
(m) We may offer content like images or video that are provided by third parties. You may use that material solely in your survey content. Epiphany360 may modify or revoke that permission at any time in our sole discretion. In using such material, you may not imply that your surveys are affiliated with or run or endorsed by any company, product, brand or service depicted in that material unless you have obtained their permission.
Phishing and Security
We strive to protect the security of all our users. We take specific measures to ensure respondents are not misled by surveys or forms used for fraudulent or malicious purposes. We will suspend any use of the Services which come to our attention that:
attempts to collect social security numbers, credit card numbers (other than solely for collecting payment through an authorized payment processor as permitted by the Services), passwords, or other similar types of sensitive information;
publishes a person’s sensitive identifying information against their wishes;
is intended to deceive or mislead respondents, including by linking to websites with malicious software such as malware;
knowingly and artificially boosts or inflates a website or webpage’s search engine ranking; or
hosts content that is downloadable, live-streamed, or merely intended to solicit clicks to other sites.
Privacy and Impersonation
Users provide responses and information with the expectation that their information will be handled respectfully and not abused. Accordingly, you are responsible for complying with all applicable data protection laws and regulations with respect to any data that you submit to or collect through our Services.
We encourage you to disclose your privacy practices when you use the Services and, if you do, we require you to act in accordance with those practices.
You may not claim that a survey or other use of our Services is anonymous when it is not.
You may not impersonate others when using the Services or collecting information.
We treat our users’ email addresses and mobile numbers with respect and expect our users who collect email addresses and mobile numbers to do the same.
Emails you send via the Services must have a valid reply-to email address owned or managed by you.
Texted survey invitation messages you send via the Services must have a valid reply “Stop”. All recipients of these text messages must have provided you consent in accordance with applicable law.
We prohibit the use of harvested mailing lists.
We prohibit the use of third-party, purchased, or rented mailing lists unless you are able to provide proof that individuals on the list have opted-in to receiving emails of the type you will be sending them.
You must not use the Services to send emails with deceptive subject lines or false or misleading header information.
Violence and Hate Speech
We remove content and may report information related to that content to law enforcement authorities if we become aware of, or believe that, a genuine risk of harm or threat to public safety exists.
Our Services may not be used to directly or indirectly threaten or attack others, or to organize or incite violence, harassment, or property damage.
Our services may not be used for hate speech, or to promote or fund such acts. Examples of hate speech include attacking or advocating for the abuse or exclusion of people based on their ethnicity, national origin, political or religious affiliations, gender, sexual orientation, genetic predisposition, disability, medical or physical condition, veteran status, or any other protected classes under applicable law.
Our Services may not be used to promote or glorify self-harm.
Bullying and Harassment
Our Services may not be used to bully or harass others.
Pornography and Offensive Graphic Material
Nudity, pornography and gore do not have a legitimate place in our Services.
You may not include gratuitous graphic violent material or pornography in connection with the use of our Services.
We recommend adding a conspicuous warning screen before displaying any material which may be offensive in nature.
We strictly prohibit and report to law enforcement any display of sexual or pornographic content (including in cartoon form) involving minors.
Intellectual Property Infringement
Please respect the intellectual property rights of others. You must have the appropriate rights to any content included in your responses.
How to Report Policy Violations
If you identify content which you believe is in violation of this policy, you may file an abuse report. Please include the URL of the survey or form at issue.