Skip to main content
All CollectionsTrust & Safety 🔒
PIPA Compliance
PIPA Compliance
Biscuit Health avatar
Written by Biscuit Health
Updated over 4 months ago

Privacy by Design:

Biscuit Health is committed to protecting and preserving your privacy. Our business and team are built around the Privacy by Design principles to ensure our platform is a safe space for our communities.

The Biscuit Health Platform enables our communities to access specialized allergy care tools to manage their care through our mobile App or Website, and for our clinicians and partners to oversee the care of patients through our EMR and other digital systems.

As a health clinic operating in British Columbia, Biscuit Health is PIPA-compliant. This article dives into what PIPA-compliance means, and how we achieve compliance with these regulations and beyond.

Privacy Laws and Health Records in BC

The PIPA BC (Personal Information Protection Act) is legislation passed in BC that is substantially similar to the federal PIPEDA law requiring health clinics handle personal information with care.

What is considered personal information?

Personal information is any recorded information or data that can identify a patient (name, address, phone number, ID number) and any information that is about an identifiable patient (physical description, education, blood type). PIPA allows us to collect this information, used it, and disclose it under "reasonable purposes", purposes that any reasonable individual would think is appropriate.

How do we comply with PIPA at Biscuit Health?

  1. Privacy By Design — We've gone above and beyond PIPA requirements by adopting a Privacy By Design culture at Biscuit Health. It is embedded into all our procedures, and everything we've built. From our clinical team to our technology team. At a minimum PIPA requires organizations such as Biscuit to be in control of personal information collected, even if it's not in our custody. We do this by enforcing Business Associate Agreements (BAAs) with any partner that may receive personal information from us as part of our care delivery.

  2. Designated Privacy/Compliance Officer — We are required to publicly disclose the person in charge of privacy and compliance at Biscuit Health.

  3. Consent — We obtain informed consent as part of our intake and inform patients about how their personal information is collected, used, or disclosed. As part of Privacy By Design principals, we collect only the minimum required information to provide patients with care.

  4. Disclosure — Beyond purposes that are required to provide care to patients, Biscuit does not disclose personal information except for in the following circumstances:

    1. as required by a treaty

    2. as required by a subpoena

    3. by order in an investigation of an offence under Canadian or Provincial law

    4. in response to an emergency where the health, safety, or life of an individual is at immediate risk

    5. when required to contact next of kin for a diseased or ill individual

Right to Access under PIPA

Patients have the right to access their own personal information and we make an effort to respond to requests as swiftly as possible, within 30 business days. While we grant the majority of requests for transparency, we may refuse requests if the fall under the following conditions:

  • the information could threaten the safety or physical or mental health of another individual

  • the information is expected to cause immediate or serious harm to the safety of the individual requesting the information

  • the information would reveal personal information about another indivdidual

  • the disclosure would reveal information about a third party that has not provided consent

  • correspondence between your organization and legal counsel regarding legal advice for an issue this same individual initiated

  • when the information would reveal commercial information about our business and harm the competitive position of our organization

  • when the information was collected for an investigation that has not yet concluded

  • when the information was collected by a mediator or arbitrator for a court-appointed mediation or arbitration

  • when the information is subject to a solicitor’s lien.

Please note that certain record requests may incur a $25.00 administrative fee.

Rights to correct information

While we strive to ensure information we maintain is accurate and complete, there may be instances where this is not the case. Patients can make a request at any time to correct their personal information by submitting a request in our privacy portal.

Protecting personal information

Our technology and organization is built to be SOC2-compliant, and HIPAA-compliant. This means data is encrypted from end to end, and at rest. Any endpoints such as laptops or mobile devices with access to personal information requires authentication and is subject to our security policies that were designed to prevent unauthorized access. All Biscuit Health employees and contractors undergo privacy training and are required to complete refresher training annually.

All patient records and personal information is backed up to a separate location to prevent the information from accidental destruction, and all attempts to access information are logged and time stamped.

Questions?

Have any questions about this guide or anything else related to privacy? Feel free to email our Trust & Safety team at privacy@heybiscuit.ca and we’d love to clarify anything you’re unsure on!

Related Articles
The safety profile of our treatment
Our Privacy Commitment
Terms of Use
Informed Consent - Telehealth
Informed Consent - SLITPOPR
Did this answer your question?