Politique de gouvernance des données personnelles CLINIQUE HEALY

Patient Information Governance Policy

Clinique Dentaire Healy is aware of its responsibilities regarding the protection of personal information. This policy sets out the rules governing the governance of patients’ personal information held by the clinic. It is published on the clinic’s website or made available by other appropriate means (e.g., in the clinic’s waiting room or reception area, please specify). I/The Person in charge of the protection of personal information and his/her role 1/ Person in charge of the protection of personal information: Dr. Liliane Malczewski, as the person exercising the highest authority within the company, is responsible for the protection of personal information held by Clinique Dentaire Healy/  Dr. Malczewski is designated as responsible for the protection of personal information held by Clinique Dentaire Healy The Officer can be reached at (514) 684-9198.

Dr. Malczewski’s contact details are published on the clinic’s website. Dr. Malczewski has received training in the protection of personal information.

In accordance with the law, Dr. Malczewski is in charge of the protection of personal information receives and handles all requests relating to the protection of personal information, whatever their nature, including: • receiving and processing requests for access, rectification, copies of files, restriction or refusal of access, and withdrawal of consent. • managing confidentiality incidents. • keeping the Register of confidentiality incidents. 2 • notifying the persons concerned by confidentiality incidents when those incidents present a risk of serious injury. 3 • declaring privacy breaches that present a risk of serious injury to the Commission d’accès à l’information (CAI). 4 • keeping the logs.5 • making privacy recommendations. • suggesting privacy training activities

What information does the dental clinic collect? The clinic collects the personal information listed in articles 15 and 16 of the Règlement sur la tenue des cabinets et des dossiers et la cessation d’exercice des membres de l’Ordre des dentistes du Québec: – the patient’s name, gender, date of birth, address, and telephone number – the patient’s medical and dental history The dentist records the following in the patient’s dental file: – the date of consultation – the diagnosis – treatment options and individual prognoses – the statement of operations and a description of all forms of treatment carried out – the materials and medicines used – written prescriptions for medication or treatment – significant elements of any verbal or written communication with or about the patient – the results of examinations carried out, diagnostic elements, and radiological examination reports, as well as all models – annotations relating to information provided to the patient concerning acceptance of treatment and annotations relating to receipt of the patient’s consent to treatment – the name, concentration, and quantity of products used in the case of general, regional, or local anesthesia, or conscious or deep sedation – information and recommendations provided to the patient regarding treatment – the date on which the patient was referred to a healthcare professional, the name of the professional, the purpose of the consultation, and the report issued following the consultation – annotations, correspondence, and any other documents relating to the services rendered by the dentist, and any copies of documents or certificates issued to the patient – information on professional fees and any amounts billed to the patient – a note signed by the patient or his or her representative, when he or she has requested the removal of an item or document, indicating the nature of the document and the date of its removal. The dentist collects information from the Ordre des dentistes du Québec’s confidential medical-dental questionnaire. For billing purposes, the dentist also collects the patient’s health insurance number, health insurance card expiry date, insurance company name, last-resort financial assistance status, etc.

How and from whom are they collected? Personal information is collected from a person during the first episode of care by means of a confidential medical-dental questionnaire. The personal information of a minor under the age of 14 is collected from the person having parental authority. The personal information of minors aged 14 and over is collected from the minor him/herself or from the person having parental authority. The personal information of an incapable adult is collected from the tutor or mandatary. At the time of the initial collection of personal information, and thereafter upon request, the patient or his/her legal representative is informed in clear and simple terms by means of the form entitled “Information From Your Clinic”7 of the following elements: 1° the name of the organization collecting the information 2° the purposes for which the information is collected 3° the means by which the information is collected 4° the rights to access and rectify the information 5° the possibility of restricting or refusing access to this information and the procedures for doing so 6° the right to withdraw consent to the disclosure or use of the collected information 7° the length of time the information is kept.

Who, in the company, has access to the personal information collected? • The clinic’s professionals, employees, trainees, or students have access to patients’ personal information only to the extent necessary for the performance of their duties. • The treating health-care personnel and their assistants (dentists, dental hygienists, dental assistants) have access to the health information they need to provide dental care. • The administrative staff (e.g. secretary, receptionist, accountant, coordinator) and the dentist have access to information required for billing, appointment scheduling, and other administrative purposes. All clinic employees, including trainees and students where applicable, have signed a confidentiality agreement. All of the clinic’s professionals, employees, trainees, and students have been made aware of this policy and have benefited from privacy training and awareness activities (indicate which, e.g., webinar, meeting).

Patient information is recorded in the dental record. The dental record is kept in a filing cabinet to which the public does not have access and/or which is locked. Files stored in digital format are protected in such a way as to restrict access to authorized persons only (with the help of your IT or software supplier, specify the measures used to ensure the highest level of confidentiality, e.g. encryption, access control, frequency of changing access codes, archiving, schedule for updating workstations and technological products and services used, backup and frequency, security maintenance, etc.). Archived dental records are stored in a cabinet to which the public has no access.

The Person in charge of the protection of personal information ensures that the log of health information uses is completed daily by any staff member or professional who has consulted, used, communicated, or received communication of health information. or The Person in charge of the protection of personal information prints the daily report of consultations and uses of health information from the dental software.

A Privacy Impact Assessment (PIA)10 is carried out for any project to acquire, develop or overhaul an information system or electronic service delivery system involving the collection, use, communication, keeping or destruction of personal information. The Act defines “technological product or service” as any equipment, application, or service required to collect, store, use, or communicate information, such as an information bank or system, a telecommunications network, a technological infrastructure, software, or a computer component of medical equipment. A PIA is also carried out when personal information is to be disclosed to a partner/supplier outside Quebec, and it shall be transmitted only if the assessment shows that the information would benefit from adequate protection, particularly with regard to generally recognized privacy principles, and after informing the person(s) concerned. 5/ Communication to third parties The personal information of patients cannot be disclosed to third parties without their consent, except where required by law.

If the patient wishes to consult his or her dental file, he or she must send a written request to Dr. Liliane Malczewski, in charge of the protection of personal information, at [email protected]. Upon receipt of the access request, the patient will receive an acknowledgement of receipt. The Person in charge of the protection of personal information will provide access to the dental file free of charge within 30 days of receipt of the request and during regular clinic business hours. The Person in charge of the protection of personal information shall give reasons for any refusal to grant a request for access, specifying the reasons for the refusal, 10 See the accompanying guide from the Commission d’accès à l’information at the following link (French):

https://www.cai.gouv.qc.ca/documents/CAI_Guide_EFVP_FR.pdf

The patient has the right: 1° to have inaccurate, incomplete, or equivocal information corrected in a document concerning him or her that is included in any file established about him or her considering the purpose for which the information was collected; 2° to have any outdated information or information not justified by the purpose of the file compiled on him or her deleted; 3° to add any written comments to the file. This request should be addressed to Dr. Malczewski. The Person in charge of the protection of personal information will respond within 30 days of receipt, and will issue a copy of the document or part of the document attesting that the information has been corrected or deleted, or an attestation that the comments written by the patient have been placed in the file. The Person in charge of the protection of personal information shall give reasons for any refusal to grant a request and shall indicate the provision of the law on which the refusal is based, the remedies available, and the time limit within which they may be exercised. 3/ Right to obtain a copy, and procedure Patients have the right to obtain a copy of their dental records. This request should be addressed to Dr. Malczewski. The Person in charge of the protection of personal information will reply within 30 days of receipt, and may charge a fee for reproduction or transmission, in which case the patient shall be notified of the approximate amount. Paper copies shall be delivered by hand or sent by registered mail. When the file is on a digital support, it will be communicated to the requester in a structured, commonly used technological format, via a secure transmission method. The patient has the right to restrict access to his or her health information or to refuse that information concerning him or her be made available to certain specified persons, in certain circumstances. This request should be addressed to Dr. Malczewski person in charge of the protection of personal information, in writing to [email protected]

The patient has the right to make a complaint in connection with the collection, use, or disclosure to a third party of his or her personal information, or for any other reason related to the protection of his or her personal information. This request should be addressed to Dr. Liliane Malczewski person in charge of the protection of personal information, in writing. The complaint must contain all the details needed to understand the situation, the person implicated, his or her position, the date of the events at the root of the complaint, the presence of witnesses and their names, if any. Upon receipt of the complaint, the patient will receive an acknowledgement of receipt. The Person in charge of the protection of personal information will investigate, and meet with all those involved. All employees and independent workers of the dental clinic are required to cooperate in the investigation process, and to do so in such a way as to preserve the confidentiality of the information in their possession, except to the extent necessary to analyze the complaint. At the end of the investigation, a report will be produced by the Person in charge of the protection of personal information. This report will determine whether the  allegations are founded and, if so, make recommendations that may include administrative or disciplinary measures, measures to prevent the recurrence of similar incidents, a report to the Commission d’accès à l’information depending on the nature of the incident, or any other measure deemed appropriate. The Person in charge of the protection of personal information will inform the complainant in writing of the findings of his or her investigation, and of the measures that will be implemented.

The Act defines “confidentiality incident” as follows: 1° any access to personal information that is not authorized by law 2° the use of personal information that is not authorized by law 3° the unauthorized communication of personal information 4° the loss of personal information or any other breach in the protection of such information. 2/ Procedure When the Person in charge of the protection of personal information is informed of a confidentiality incident involving personal information, he or she shall: – take reasonable steps to reduce the risk of harm being caused and to prevent similar incidents from occurring in the future – record the incident in the register of confidentiality incidents, even if there is no risk of serious injury. Person in charge of the protection of personal information must consider, among other things, the sensitivity of the information concerned, the anticipated consequences of its use, and the likelihood that it will be used for injurious purposes. If the incident presents a risk of serious injury, he or she must, with diligence, notify the Commission d’accès à l’information using the form provided by the Commission for this purpose, as well as any person whose personal information is affected by He or she may also notify any person or organization likely to reduce this risk, communicating only the personal information required for this purpose without the consent of the person concerned.

Dental records shall be kept for five years following the last entry or insertion in the record, in accordance with the law. The personal information relating to the supporting documents needed to verify the information contained in the clinic’s logs and account books shall be kept for six years in accordance with the Income Tax Act. Once the retention periods have expired, personal information shall be destroyed in such a way as to preserve its confidentiality, using the following methods: – paper file – indicate method used (shredder, incineration, etc.) – electronic file – indicate method used (digital shredding, crushing, incineration, etc.) – models – indicate the method used (crushing, incineration, anonymization, etc.)

Date: SEPTEMBER 25 2023 Person in charge of the protection of personal information

LILIANE MALCZEWSKI