As part of its activities, Les Cliniques Marois collects, uses, archives and destroys personal information about patients who use its services.
Les Cliniques Marois are subject to the application of Law 25 on the protection of personal information in the private sector. To this end, Les Cliniques Marois are responsible for ensuring the protection of the personal information they hold and for complying with Quebec’s Privacy Law 25.
This policy aims to ensure the protection of personal information and to demonstrate how Les Cliniques Marois manages it.
If you have any questions, comments or incidents concerning confidential data at Cliniques Marois, you can contact our privacy officer using one of the following methods:
Name of the person in charge: Vanessa Faro-Dussault
Email address: Vanessa.Faro@lescliniquesmarois.com
Phone: 1-844-URO-ALLO Extension 412
Mailing address: 403-3135 Boul. Moise-Vincent, St-Hubert, Québec, J3Z 0G7
Personal information (PI) is personal information that concerns a natural person and that allows them to be identified, directly or indirectly. For example, here are PIs that Les Cliniques Marois administers daily:
Sensitive personal information (SPI) is data that, due to its nature, particularly medical, biometric or otherwise intimate, or due to the context of its use or communication, gives rise to a high degree of reasonable expectation of privacy. For example, here are some sensitive PI that Les Cliniques Marois manages on a daily basis:
A privacy incident (PI) is: (i) access to personal information that is not authorized by law; (ii) use of personal information that is not authorized by law; (iii) disclosure of personal information that is not authorized by law; or (iv) loss of personal information or other breach of the protection of such information.
The policy covers all types of PI and sensitive PI that Les Cliniques Marois administers as part of professional activities with patients, employees and certain suppliers.
Les Cliniques Marois obtains consent to the collection of PI and sensitive PI before collection, explaining the puPIoses of this collection at the time of collection. In all cases, Les Cliniques Marois uses a consent form.
When Les Cliniques Marois collects PI and SPI on persons under 14 years of age, the holder of parental authority or guardian must consent to the collection.
As part of its activities, Les Cliniques Marois collects various types of PI and sensitive PI. Generally, the collection is done directly from the person who requests services or becomes an employee of Les Cliniques Marois. In certain cases, PI and sensitive PI may be received via third parties, when it concerns the results of additional examinations carried out externally or a patient under 14 years of age.
At the time of collection, Les Cliniques Marois informs the persons contacted of the following information:
Details regarding the collection of personal data:
Types of personal data | Personal information, sensitive personal information & financial information. |
Persons concerned | Patients, parents of children under 14, employees and certain suppliers. |
PuPIose of collection | Daily management of medical records, employee records & accounting. |
Staff involved | Administrative staff, nursing staff, doctors and service supervisors. |
Computer technologies | Electronic medical records (EMR), electronic signature software, cloud telephony software, cloud payroll software, insurance & RVER portals, POS platform, etc. |
Cliniques Marois limits the use of PI and sensitive PI to the purposes for which they were collected, as described at the time of collection.
Details regarding the use of personal data:
Opening a patient file (e.g. new patient) | Performed by administrative staff on the DME. |
Opening and managing employee files (e.g.: new employee) | Carried out by Human Resources (HR) and Accounting supervisors on secure digital platforms. |
Patient file management (e.g.: file note entries, follow-ups, etc.) | Performed by physicians or nurses on the secure EMR as part of appointments or receiving medical results. |
Patient Transactions (e.g.: payments) | Performed by administrative staff and accounting supervisor on the secure EMR and POS platform. |
Communications of PI and sensitive PI to other healthcare professionals (e.g.: copy of medical record) | Carried out by administrative or nursing staff, always with the patient’s consent. |
Observation of third parties outside the Clinics (e.g. trainees or representatives) | Possible with: 1) Patient consent 2) Duly completed and signed confidentiality form |
Production of reports (e.g.: monthly census of operative complications) | Presented in an anonymous form. |
All employees, service providers and subcontractors of Cliniques Marois who may have access to PI and sensitive PI have signed confidentiality agreements in favor of Cliniques Marois. They also undertake to comply with this policy and ensure that PI and sensitive PI are processed throughout their life cycle in the most secure manner possible.
If Cliniques Marois intends to use PI and sensitive PI for other purposes (e.g. clinical study or survey), the person concerned must give their consent.
Patients
Les Cliniques Marois retains the PI and sensitive PI that it holds on an individual for the period necessary to achieve the purposes for which it was requested. This period may vary depending on the person concerned and the reasons for which they were in contact with Les Cliniques Marois – all of which is archived on secure platforms.
The PI and sensitive PI that Les Cliniques Marois holds concerning patients is stored on a cloud-based software called “Electronic Medical Record” (EMR), whose data is encrypted. The EMR itself is hosted in the Telus Health (Canada) Ltd. data center located in Canada.
Voice communications between physicians, staff and patients take place on the cloud-based software and the recordings are hosted in the MCJ Conseil data center, also located in Canada.
Access management to the EMR and the telephone system is administered by management and supervised by the PI Privacy Officer.
Some patient PI may be stored on the POS platform used to collect payments; Les Cliniques Marois limit access to those who need it in the exercise of their functions (particularly accounting) and the password is changed several times a year.
Employees, subcontractors and consultants
The PI and sensitive PI of employees, subcontractors and consultants are stored on secure cloud servers.
Les Cliniques Marois limits access to PI and sensitive PI contained to those who need it in the performance of their duties. It creates as many accesses and sites as necessary to ensure that access to PI and sensitive PI is personalized and limited for different employees.
To this end, each user is granted access with a unique password and dual authentication. Any person who is no longer an employee, subcontractor or no longer needs to have access to PI and sensitive PI has their access revoked in a timely manner.
The management of these accesses is administered by management and supervised by the Personal Information Officer.
Details regarding the archiving of personal data:
Duration of archiving of PI and sensitive PI | For patients, 10 years after the medical record becomes inactive. For employees, 6 years after the record becomes inactive. |
Staff involved in the archiving process | Management and some service supervisors. |
Paper documents | Locked desks, cabinets and filing cabinets of some supervisors. |
Computer technologies | DME & various cloud software. |
Cookies
The use of cookies on our website is now the norm. Cookies only store information related to your movements on our site and do not have the capacity to retrieve other types of data from your hard drive. The information transmitted does not allow you to be personally identified and is only collected due to the technological requirements inherent in Internet browsing and is used for statistical purposes. You can set your browser to block cookies at any time. However, this action may deprive you of certain functions offered on our site.
Google Analytics
This site uses Google Analytics, which is a web audience measurement tool. Google Analytics collects information about your browsing on the Cliniques Marois site, which is stored on servers located in the United States. Google may communicate this information to third parties in the event of a legal obligation or when these third parties process the data on its behalf.
The information collected by the tool includes, for example:
Google uses the information collected only to produce statistics and reports on navigation on this site, which allows us to improve our online platforms. Google will not, under any circumstances, link the information collected on this site with any other data it stores.
Once the purposes for which the PI and sensitive PI were requested have been fulfilled, Les Cliniques Marois will ensure that the PI and sensitive PI are destroyed or that they are anonymized irreversibly and securely.
Details regarding the destruction of personal data:
Personnel involved in the destruction process | Management and some department supervisors. |
Paper documents (e.g. confidential postal mail) | Digitization in a secure platform and systematic shredding. |
Downloads or copies of documents (e.g. patient emails) | Systematic downloading to a secure platform and regular emptying of trash bins. |
Cloud data (e.g. patient records over 10 years old) | Permanent removal of sensitive PI and PI from the secure platform. |
Individuals about whom Les Cliniques Marois holds PI and sensitive PI have the right, at any time, via the procedure described in section 7, to contact Les Cliniques Marois to:
The Marois Clinics will respond to these requests within a maximum period of thirty (30) days unless Law 25 provides for an exception.
Any person who wishes to file a request or modification or complaint in connection with the governance of Cliniques Marois regarding the management of PI and sensitive PI, must do so in writing to the Personal Information Privacy Officer whose address is described in section 1 above.
The request must include the following elements, without which it will not be considered admissible:
The PI Privacy Officer will acknowledge receipt to the applicant as soon as possible.
Any request received will be treated confidentially.
Within thirty (30) days of receipt of the complete request, the PI and sensitive PI Privacy Officer must process it, then send a final, written and reasoned response.