Lumeca Health Inc. Privacy Notice

 

Definitions

Lumeca – refers to Lumeca Health Inc. (also “we”, “our, “us”)

Lumeca Platform – refers to the mobile and web applications, websites, Content, products, and services owned and operated by Lumeca Health Inc.

Privacy Notice – refers to this document created and presented by Lumeca, which explains our commitment to the management of your Personal Information (also, “Notice”).

Demographic Information – refers to any information that is not Personal Health Information. This information can be recorded in any form, can be about an identified individual, or an individual whose identity may be inferred or determined from the information. This information is typically used to categorize an individual into a common group with similar characteristics, e.g. age, gender, province of residence, etc.

Aggregated Information – refers to the information where the identity of the individuals is not known and cannot be inferred from the information.

Anonymous/Non-Personal Information – refers to data that cannot be traced or linked to you directly, though it may be a result of your actions and behaviours.

Personal Health Information – refers to any physical or mental health information of an individual disclosed, documented or retrieved for the purposes of accessing health care services, or as an outcome of receiving health care services. (also “Health Information” in some jurisdictions)

Personal Information – refers to Demographic Information and Personal Health Information collectively. It refers to you specifically, whether factual or subjective. It does not include the name, title, business address or telephone number that would be publicly disclosed about an employee by an organization.

PIPEDA – refers to the Personal Information Protection and Electronic Documents Act, a Canadian law relating to customers’ data privacy regulation for private companies

HIPA SK – refers to the Health Information Protection Act of Saskatchewan, a legislated act in Saskatchewan to protect the privacy of individual’s Personal Health Information. Other provinces have similar, or more overarching health acts that may align closer to PIPEDA.

Clinical User – any physician, health professional, first responder and employee of a clinic or organization provided with access to the Lumeca Platform for the purpose of consultation with Patient Users

Patient User, you, your – means residents who access the Services for their personal healthcare purposes. Can represent both an Individual Account and Registered Dependent(s).

Consent to Collection, Use & Disclosure Of your Personal Information

By agreeing to this policy, you are confirming that:

  • You will provide certain personal information to Lumeca
  • We may collect, use and disclose your personal information in accordance with this privacy policy
  • You are consenting to the way we collect information from you
  • You are consenting to Lumeca using your information to help facilitate access to health services, including quality assurance and research & development, as well as to fulfill any support requests you may make of us
  • You are consenting to disclosure of your informaton to health providers, service providers and subvendors to fulfull the service(s) you are seeking through Lumeca

If you do not agree with these terms, you are requested not to provide any personal information to Lumeca.

You may withdraw your consent at anytime, but may not withdraw retroactive to any information you provided prior to your withdrawal.

Objective and Scope of Notice

Lumeca facilitates the provision of healthcare services to individuals through its platform and relationship with healthcare providers. Consistent with our obligations as healthcare service providers, we are dedicated to maintaining high standards of confidentiality with respect to all information that has been provided to us, with a particular focus on health information. This Notice has been prepared to affirm our commitment to maintaining the privacy of our clients and others and to inform you of our practices concerning the collection, use and disclosure of Personal Information (as defined below) collected by Lumeca. This Notice not only applies to Lumeca but also to our subsidiary companies.

At Lumeca, safeguarding your confidentiality and protecting your personal and health information is fundamental to the way we do business. Our obligations are governed by the following laws and regulations:

  • Federal Personal Information Protection of Electronic Documents Act (PIPEDA): Applies to private sector organizations across Canada that collect, use, or disclose personal information during a commercial activity. This includes our obligation to facilitate access requests to Personal Information we store about you.
  • Provincial Health Acts: Applies to provincial health information management acts where Lumeca is considered an Information Manager/Information Management Service Provider/Vendor such as the Health Information Act of Alberta or the Health Information Protection Act of Saskatchewan.
  • Medical Regulatory Bodies: Applies to healthcare professionals as members of their applicable regulatory bodies, such as the Canadian Medial Association, College of Paramedics of Saskatchewan, College of Family Physicians of Canada, and College of Physicians and Surgeons of Saskatchewan. The obligations set out in this Notice apply to all professionals, employees, contractors, and agents who provide services in connection with access to patients through the Platform. Other applicable laws and internal policies govern the protection of Personal Information of partners, associates, and employees of Lumeca. It is intended that your interaction directly with health professionals contracted by Lumeca will be treated in the same manner as any other health professional-patient interaction and the health professional will be responsible for your Personal Information collected by them in trust.

Protecting Your Privacy – Our Commitment to You

At Lumeca, protecting your privacy means that (i) we keep your information and your relationship with us in strict confidence; (ii) your information is not sold; (iii) you have control over how we obtain, use, and give out information about you; (iv) you have access to the information we have about you; and (v) we respect your privacy when we market our products and services.

PIPEDA has as its core, 10 guiding principles, as also set out in the Canadian Standards Association’s Model Code for the Protection of Personal Information, which is incorporated into PIPEDA.

These principles are:

  • Accountability
  • Identifying Purposes
  • Consent
  • Limiting Collection
  • Limiting Use, Disclosure and Retention
  • Accuracy
  • Safeguarding Customer Information
  • Openness
  • Customer Access
  • Handling Customer Complaints and Suggestions

We have designed this Policy to address these 10 guiding principles.

What Information is Collected? Why does Lumeca Collect Personal Information?

Having up-to-date and accurate information helps us provide you with the best possible service, recommendations and, in certain cases, to offer additional services we believe might be of benefit to you.

At Lumeca, we collect two types of information from our clients either remotely or in-person and from website visitors. With your consent, we collect Personal Information. We may also collect Anonymous/Non-personal Information.

The types of Personal Information that may be collected and maintained in your file for the purposes of providing healthcare services to you may include, but are not limited to:

Table 1 – Information that you provide to Lumeca
Information Provided Type of Information Purpose of Collection Description

Patient User: Name, Email, Phone Number, Address, Date of Birth, Display Picture, Provincial Health Services Number, Gender, Emergency Contact

Clinical User: Name, Email, Phone Number, Date of Birth, Professional License Number, Electronic Signature.

Demographic Information Used as a method of communication with the individual (email and phone number). The data elements are unique identifiers of the account holder and the dependent(s). The e-signature would be used by the Clinical User for authorization.
Used for the security of access to the Lumeca Platform to protect Patient User PI & PHI, and Clinicians’ PI.
To accurately identify the individual to provide access to the Lumeca Platform and coordinate health care services.
Height, Weight, Allergies, Photographs of Skin Conditions, Reason for Consultation, Chat Message Content Personal Health Information To provide accurate health care services to the individual. The data elements are unique identifiers and health information of the account holder and the dependent(s). These data elements are collected before, during and after the process of a consultation.
Test Forms, Diagnostic Test Results, ICD Code, Prescriptions, Consent Forms from Doctors, Consultation Notes To maintain records of consultation for clinical management.
Family Doctor: Name, Phone Number, Province; Name and Contact Information of Preferred Pharmacy, Other Providers’ Names and Contact Information To co-ordinate with the Clinical User(s) to provide accurate health care services. The data elements are unique identifiers associated with the Patient Users.
To maintain the security and safety of all parties involved with the Lumeca Platform.

Global Positioning System (GPS) Coordinates*

*Only pertains to emergency medical service responder use cases

Personal Information To locate an individual in order to dispatch emergency response teams to the individual’s location for timely care. The data element is a point-in-time location provided by the individual to the other participants of the call that reflects a specific geographic point by communicating longitude and latitude coordinates to the participants.
Consent Form Consent Logging Information Provision of authority to Lumeca to collect, store, use and retain Personal Information to provide health care services to the individual. The checkmark beside the consent form for the individual to click to indicate provision of consent.
 
Table 2 – Information collected and/or stored by Lumeca
Information Provided Type of Information Purpose of Collection Description
Date/Time of Appointment, Which Users are present, Type of Appointment (Virtual or In-Person; Audio or Video; Synchronous [Real-Time] or Asynchronous) Clinical Information – Scheduling To provide accurate and safe health care service. These data elements are collected during the process of scheduling an appointment with a Clinical User/Patient User through Lumeca. It would allow an individual to gain the health care service(s) requested.
Date/Time of Appointment, Which Users are present, Type of Appointment (Virtual or In-Person; Audio or Video; Synchronous [Real-Time] or Asynchronous)
Who Accessed Consultation, Device Data of Patient & Clinical User(s), Duration of Access, IP Addresses, Video Call Data, Phone Call Data, ICD Code

Clinical Information – Scheduling

Clinical Information – Encounter Logging

To maintain the security and safety of all parties involved with the Lumeca Platform. These data elements are collected during the process of scheduling an appointment with a Clinical User/Patient User through Lumeca. It would allow an individual to gain the health care service(s) requested.
These data elements are collected during the process of scheduling an appointment with a Clinical User/Patient User through the Lumeca Platform.
To schedule and maintain records of appointments for management and security reasons
To maintain logs of user access to confirm privacy & security of health information
Who Accessed Consultation, Device Data of Patient & Clinical User(s), Duration of Access, IP Addresses, Video Call Data, Phone Call Data, ICD Code Clinical Information – Encounter Logging To audit in the event of a data breach and routine auditing by trustees/custodians These data elements are collected during the process of scheduling an appointment with a Clinical User/Patient User through the Lumeca Platform.
To support billing information processing for remuneration

For every consultation, whether in person, over the telephone or by corresponding with you via mail or the Internet, health providers must collect, organize, hold, and maintain a medical chart with information relevant to the medical problem or incident expressed. They maintain and safeguard this information in trust. For more information related to their obligations, see “Trustees/Custodians” below.

While Lumeca facilitates the provision of healthcare services as described above, Lumeca itself collects only such information from individuals or organizations (such as a medical clinic) as is required for the purposes of providing services or information to them, marketing other services or products to them (as applicable), and for aggregated statistical analyses. To the greatest extent possible, we will collect Personal Information directly from the individual concerned. Our system also may communicate with other health systems that house your Personal Information, such as a clinical electronic medical record in a family doctor’s office, or the comprehensive provincial health record. When we push information to another system, it may be to link your health record from Lumeca to another health record. Authentication and identity verification steps take place to confirm that both systems are referring to the same person. We may also pull information from another system for this same purpose. This is done to satisfy coordination of your care to improve the safety and efficiency of your health care service coordination.

In certain cases, we will be required to collect Personal Information from other sources, including but not limited to your treating physician, consulting physicians, psychologists, pharmacists, public health related data contained in the provincial comprehensive electronic health record, and insurers. In those cases, we will request your consent to obtain information from those sources or make known to you that this information was shared with us for the purpose of providing health services to you. We will also establish Information Sharing Agreements with these groups that detail the collection, use and disclosure, as well as the data protection of the information that is shared between parties.

We collect Personal Information for different purposes, depending on the type of service we are providing to you, as applicable.

These purposes include opening an account through the Lumeca platform, and providing the Lumeca platform services to you, which may include:

  • Creating a Patient User and/or Clinical User account on the Lumeca Platform
  • Authenticating your identity;
  • Pushing notifications to your mobile phone to notify you about appointments and consultation activity;
  • Supporting your access to primary or emergency health services with a medical professional or organization;
  • Providing you with other services or products in the future;
  • Using your usage data on the Lumeca Platform to tailor our marketing and communication with you;
  • Internal quality control processes, including continuous improvement analysis and/or following up with customer concerns; and
  • Aggregated statistical analyses.

Anonymous/Non-Personal Information/Aggregated Information

At Lumeca, we routinely collect anonymous/non-personal information. Anonymous/non-personal information is information that cannot be associated with or traced back to a specific individual or business entity. For example, our web servers collect some anonymous/non-personal information automatically when you visit our web sites. Gathered electronically, this information may include the pages you visited, the type of web browser you are using, the level of encryption your browser supports and your Internet Protocol address. The anonymous/non-personal information collected may be used for research and analytical purposes. For example, we can determine how many times our online privacy policy has been visited but we do not know any specific information about those visitors.

When you visit our web sites, information is not collected that could identify you personally unless you choose to provide it voluntarily. You are welcome to browse these websites at any time anonymously and privately without revealing any Personal Information about yourself.

To help us better understand our markets, we may also gather information for analytical purposes by conducting anonymous customer surveys, by extracting demographic information from existing files and from Statistics Canada.

Lumeca retains the right to use Aggregated Information in any way that it determines appropriate. Using Aggregated Information typically serves purposes for improving the quality/efficiency/safety of care delivered as well garnering insights for future innovation and technical growth. When your data is de-identified and then grouped into aggregated form, you do not have the ability to request that it be removed from this format. While our legal obligations do not explicitly cover Aggregated Information, we do work to maintain its confidentiality and integrity using storage and destruction methods that meet information handling standard practices.

Ownership of Personal Information

It is important to note that as a Patient User or Clinical User, you own your Personal Information. This Policy outlines how you can make changes to, request access to, or obtain copies of your Personal Information. However, the format in which your Personal Information is kept, including but not limited to the medical records, charts, film, software, databases, applications, methodologies, and processes for gathering, processing, and storing such Personal Information belongs to Lumeca and/or our Clinical Users (as it applies to certain Personal Health Information), as applicable.

Trustees/Custodians

By law, physicians and other allied health professionals maintain records of their encounters with you in trust. Therefore, they are considered a Trustee/Custodian. These records include summaries of the symptoms you have presented to them, their own observations, a diagnosis (if applicable), and the treatment plan that was carried out, along with any correspondence between them and others involved in your care delivery. An example of this would be a referral to a specialist, or a prescription written and submitted to a pharmacist to fill. This record must be safeguarded and secured in the same way that Lumeca stores Personal Information that you enter on the Lumeca Platform. The health provider maintains custody and control of this record and implores Lumeca to manage this record on its behalf. According to the Health Information Protection Act of Saskatchewan (HIPA SK), this relationship is called Trustee and Information Management Service Provider (IMSP), where the physician or other allied health provider is the Trustee/Custodian and Lumeca Health is the IMSP. Other provinces may use different terms (e.g., in Alberta, it is Custodian and Information Manager); however, the concept of the management and custodianship of personal health information remains the same, at its core.

How does Lumeca Obtain Consent to use and Disclose Personal Information?

At Lumeca, we are obliged to keep your Personal Information confidential except when authorized by you. We use Personal Information for the purposes described above.

When creating an account for the Lumeca Platform, you are asked for (i) your expressed consent to share your Personal Information to Lumeca for the purposes of accessing virtual health care services, (ii) your consent to the Terms of Use and (iii) your acknowledgement that you have read this Privacy Policy. Your consent is provided for the collection, use, retention, and disclosure of Personal Information that you would provide during any interactions with the Platform. In other cases, such as when you book an appointment over the Internet, your consent will be implied and/or obtained electronically.

In providing healthcare services, as outlined in the Canadian Medical Association’s discussion on privacy in medical practices, consent is implied for the collection, use, and disclosure of Personal Information needed for care and treatment. Your consent implies that the Clinical User will disclose your Personal Information whenever possible to support fulfilling this treatment plan. This could include faxing your referral to a specialist, or sending a prescription to a pharmacist, or accessing your provincial comprehensive electronic health record to assess pertinent past medical history information.

During consultations, Clinical User may require an informed verbal and/or written consent from you to engage in a proposed treatment plan. This is a different type of consent than what you are consenting to through creating an account with Lumeca.

Remember, the choice to provide us with Personal Information is always yours. Your decision to withhold details may limit the services we are able to provide and make it more difficult for us to advise you, provide services to you, ensure the follow-up required by certain conditions, or suggest appropriate alternatives.

Your consent for us to use your Personal Information can be withdrawn in writing at any time (see the Contact Us section at the end of this policy). Withdrawal of consent cannot be made retroactively. If we are unable to accommodate your request based on the information that has been provided, we may ask for additional details to identify other ways to be of assistance. In some instances, we may also maintain a file containing contact history that is used for customer inquiry purposes.

Our Employees

During daily operations, access to private, sensitive, and confidential information is restricted to authorized employees who have a legitimate business purpose and reason for accessing it. For example, when you call us, visit our offices, or email us, our designated employees will access your information to assist you in providing services to you. It is important to note that only medical professionals (nurses, physicians, technicians, etc.) or others on a need-to-know basis will have access to your Personal Information.

As a condition of their employment, all employees of Lumeca are required to abide by the privacy standards we have established. They are also required to work within the principles of ethical behaviour as set out in our internal employee rules and must follow all applicable laws and regulations. Employees are well informed about the importance of privacy, and they are required to sign either a code of conduct or a confidentiality agreement that prohibits the disclosure of any Personal Information to unauthorized individuals or parties.

Unauthorized access to and/or disclosure of client information by an employee of Lumeca is prohibited. All employees are expected to maintain the confidentiality of Personal Information at all times and failing to do so will result in appropriate disciplinary measures, which may include dismissal.

Outside Service Suppliers

At Lumeca, to provide certain services, we may contract outside organizations to perform specialized services. Lumeca will only undertake a contract with these organizations if they meet or exceed the same safety and privacy standards that we uphold to protect your Personal Information. These standards include reasonable policies, procedures, and safeguards (including physical, technological, and organizational measures) designed to protect the privacy and security of personal information. Our trusted service suppliers may at times be responsible for processing and handling some of the information we receive from you.

Lumeca’s outside service suppliers may store and/or process personal information outside of Canada. When information is stored or processed outside of Canada, it may be subject to the laws of and be accessible by legal authorities in such other jurisdictions. For greater certainty, Lumeca has also taken appropriate technical, organizational, and legal steps to secure this information.

If you have any questions about our use of outside service suppliers and/or the types of Personal Information which they may process or handle on our behalf, please contact us (see the Contact Us section below for contact details) and we would be happy to provide additional information to you.

If you do not agree to us processing your information through any of these service suppliers, you have the right to stop using our platform.

When would we use your Personal Information Without your Consent?

Please note that there are circumstances where the use and/or disclosure of Personal Information may be justified or permitted or where Lumeca is obliged to disclose information without your consent. Such circumstances may include:

  • Where required by law or by order or requirement of a court, administrative agency, or other governmental tribunal (in this case, only the information specifically requested is disclosed and we take precautions to satisfy ourselves that the authorities that are making the request have legitimate grounds to do so).
  • Where Lumeca believes, upon reasonable grounds, that it is necessary to protect the rights, privacy, safety or property of an identifiable person or group, including for the purpose of acting in respect of an emergency that threatens the life, health, or security of an individual;
  • Where it is necessary to establish or collect monies owing to Lumeca (in this case, we would only disclose Demographic Information and not Personal Health Information);
  • For billing provincial government branches for provincially insured medical services;
  • Where it is necessary to permit Lumeca to pursue available remedies or limit any damages that Lumeca may sustain;
  • Where such information is already in the public domain.

Where obliged or permitted to disclose information without consent, Lumeca will not disclose more information than is required, and when disclosed in the context of an emergency that threatens the life, health, or security of an individual, we will inform the individual afterwards in writing regarding the disclosure. Lumeca does not sell, trade, barter, or exchange for consideration any Personal Information it has obtained.

Personal Information may also be subject to transfer to another organization in the event of a merger or change of ownership of all or part of Lumeca. This will occur only if the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction, including a determination whether

Accuracy of your Personal Information

At Lumeca, decisions, including healthcare recommendations, are often made based on the information we have. Therefore, it is important that your personal and health information is accurate and complete. We endeavour to ensure that any Personal Information provided and in our possession is as accurate, current, and complete as necessary for the purposes for which Lumeca uses that information.

As a client, you can request to check your information to verify, update and correct it (where applicable). We do our best to make sure you have access and control over most of your personal information. Most of this content is available in your personal account profile, and current or past consultations chats can be reviewed at any time.

Requests for access to your Personal Information should be made in writing (see the Contact Us section in this document for the information). Again, a request to do so must be made in writing, and we will provide you with a reasonable cost estimate that reflects the cost of staff time. Again, a request to view your Personal Information in an alternative format must be made in writing, and we will provide you with a reasonable cost estimate that reflects the cost for such conversion.

Should you wish to see other details of your record or account, please make a formal request to us. After receiving the request, we will contact the Healthcare Provider who treated you and then provide you with a reasonable cost estimate that reflects the cost of staff time for generating the records. When the request is to see Personal Health Information, in certain cases, the Health Provider will review the record with those staff entrusted with this task.

If you only wish to view the original record in person, clinical staff must be present to maintain the integrity of the record. This is done to secure the integrity of your record and you may be asked to attend an office location to carry this out. be expected to seriously endanger the mental or physical health or safety of the individual making the request or another person, or if disclosure of the information would reveal personal health information about another person who has not consented to the disclosure. In this case, we will do our best to separate out this information and disclose only what we can.

If you have a sensory disability, we will give you access to your personal information in any alternative format you request if we already have it in that format or if its conversion into that format is reasonable and necessary for you to be able to exercise your rights under applicable legislation. Again, a request to view your Personal Information in an alternative format must be made in writing, and we will provide you with a reasonable cost estimate that reflects the cost for such conversion.

Correcting your Personal Information

To help us keep your Personal Information up to date, we encourage you to amend inaccuracies and make corrections as often as necessary. Despite our best efforts, errors sometimes do occur. Should you identify any incorrect or out-of-date information in your file(s), we will make the proper annotations and provide you with a copy of the corrected information. Where appropriate and/or applicable, we will communicate these changes to other parties who may have unintentionally received incorrect information from us.

For corrections to your Personal Health Information, you can request changes to be made to your record and this request will be documented by an annotation in the record. However, we will only make changes to reflect factual inaccuracies, rather than correcting medical opinions, diagnoses, laboratory evaluations or other medical evidence, which we as healthcare providers are required to keep.

All requests to access or to make corrections and changes to your Personal Information must be made to us in writing.

We will deal quickly with your request to see your information, and always respond to you within 30 days. If we need to extend the time, or we must refuse your request, we will tell you why, subject to any legal restrictions, and we will notify you of the new deadline, the reasons for the extension, and your rights under applicable legislation respecting the extension.

Retention and Disposal of Personal Information

Lumeca keeps Personal Information only if it is required for the reasons it was collected. The length of time we retain information varies, depending on the product or service and the nature of the information. This period may extend beyond the end of a person’s relationship with us, but it will be only for as long as it is necessary for us to have sufficient information to respond to any issues that may arise later.

Depending on the service offered including both Patient User entered data and Clinical User entered data, we retain patient medical records if required by law and provincial health regulations. In certain cases, this is 7-10 years after the examination, or minimum 7 years after the last entry into the medical record. For minors, this is 7 years after they reach the age of majority.

We recognize and value the shift towards consumers accessing, controlling usage and deletion of their own personal data. While we also value this shift towards more customer and/or patient control, we do still have to follow data retention laws that exist today. As such, we cannot delete your Personal Information before it has reached its retention period. Once it is provided to us for the purposes of seeking health care services, it must be stored for the required time, typically 7-10 years. Being mindful of this, if you wish to transfer your records, we can support you in this process. You may tell the Provider at the time of your consultation if there is another provider who you wish to receive a summary of the encounter notes. They can facilitate this in the moment. After the fact, you may share your encounter notes yourself by logging into the Lumeca Platform and showing or communicating them verbally to a person of your choosing. Once you have shared your personal information outside of the Lumeca Platform, we no longer retain responsibility for the confidentiality, integrity, and availability of this personal information. If you wish to transfer your record in a secure format, please contact the Provider directly to make this request. If you wish, you may contact us directly (see below) and we can facilitate connecting you to the Trustee/Custodian of the encounter record and get it safely transferred to another provider within and/or outside of the Lumeca Platform.

Currently, the principal places in which Lumeca holds Personal Information are in the cities in which Lumeca has offices and Canadian centres where off-site storage facilities may be located, or, in instances where Lumeca uses third-party contractors to provide services to you (e.g., Physicians who perform independent medical evaluations, or nurses who perform paramedical examinations), at such premises for those third-party contractors.

Lumeca may use service providers who operate in jurisdictions outside of Canada (ex. the United States of America) and your Personal Information may be subject to the laws in those jurisdictions. Where possible, Lumeca has designated that all Personal Information be maintained in data centres located in Canada. However, information does flow and is temporarily stored in other jurisdictions.

When your Personal Information is no longer required for Lumeca’s purposes, we have procedures to destroy, delete, erase, or convert it into an anonymous form. This includes the service providers we contract with.

We destroy our records in a way that protects patient privacy in accordance with regulations made under appropriate provincial and federal legislation. Most of the time, your records are electronic. Should we have any paper documents, we use supervised shredding contractors who must adhere to contractual privacy obligations. These procedures may change over time to respond to industry best practices for secure data destruction.

Communicating Personal Information to Lumeca

While the physical characteristics of each are different, mail, telephone calls, faxes and transmissions over the Internet are all susceptible to possible loss, misrouting, interception, and misuse of the information being communicated or transmitted.

Lumeca attempts to strike a reasonable balance between security and convenience. In communicating with clients and others, Lumeca often requests the right to use a method of communication that is less secure than some of its less convenient alternatives. An example of this is email. At this time, when we use email, it may be sent as unencrypted plain text. We do this because Lumeca believes that many of our clients and others cannot readily process encrypted email. This is done for their convenience but has the security concern that, if misrouted or intercepted, it could be read more easily than encrypted email.

As such, we strongly recommend that you consider the risks associated with this type of communication when contacting our team for troubleshooting support or our business team for general inquiries. Only provide us the necessary information required in order to support you achieving your desired outcome.

Security

At Lumeca, we maintain security standards to ensure that your Personal Information is protected against unauthorized access, disclosure, inappropriate alteration, or misuse.

All safety and security measures are also appropriate to the sensitivity level of your information, through a practice called information classification. Lumeca further protects Personal Information by restricting access to it to those employees that the management of Lumeca has determined need to know that information in order that Lumeca may provide its services. We use regulatory best practices to determine the need-to-know.

A variety of controls may be put in place, all of which are grounded in the three pillars of security: physical, technological & organizational. Security extends beyond electronic technical controls (e.g., encryption, firewalls & two-factor authentication), and reaches to human practices and behaviours (e.g., password management, risk awareness training & background checks) as well as organizational decisions and controls (e.g., policies, data governance & cyber insurance). Other physical safeguards include maintaining a clean desk environment and limiting access to secured office spaces to approved/scheduled guests/clients and employees only.

Electronic client files are kept in a secured environment with restricted access. Paper-based files are stored in locked fire-resistant filing cabinets or filing rooms equipped with sprinkler systems. Access to these areas is also highly restricted.

We manage our server environment appropriately and our firewall infrastructure is strictly adhered to. Our security practices are reviewed on a regular basis and we routinely employ current technologies to ensure that the confidentiality and privacy of your information is not compromised.

Our computer-security specialists build security into all our computer systems. For information stored in electronic format, this always protects your information, when it is stored in data files or handled by our employees. Our systems also protect your information when it is transmitted, for example, between our offices.

Lumeca protects the flow of Personal Information by encrypting data in transit with protocols such as TLS 1.2. All data is encrypted at rest using industry standard AES-256 encryption with additional column level encryption depending on the sensitivity of the data. In addition to encryption, Lumeca utilizes web application firewall policies to restrict malicious content and limit access. We also make use of intelligent machine-learning activity monitoring for anomaly and threat detection.

Your password information is safeguarded using modern and secure hashing algorithms. Please ensure you maintain your password in strict confidence, use strong passwords and otherwise protect the security of all your devices to prevent improper access to your Personal Information. We recommend that you activate two-factor authentication in your profile if you have a mobile number that can receive SMS messages.

While identifiers have been removed from the Aggregated Information, it is important to note that threat actors may have the ability to use Aggregated Information against other information from a different source (for example, a membership list or a cell phone carrier) and re-identify the information. As such, we continue to protect Aggregated Information from malicious access through a variety of controls, included grouping the deidentified information to make it harder to re-identify. We also implement organizational cyber security controls that limit access to and use of Aggregated Information.

Information Breach Management

While Lumeca maintains a variety of controls to secure and safeguard your Personal Information, there are a variety of means in which information can be breached. One of the most common breaches in healthcare is the misdirected fax. Personal Information may flow to an unintended recipient due to some reasons that are outside of our control, such as human input error, or a change in contact information.

Other common forms of breaches can be through ransomware and phishing, or social engineering. We work hard to train all our staff and contractors on safe privacy and security practices to not become victims of such attacks. However, these types of attacks are becoming more and more common. Our business approach to these situations as not a matter of if, but when. As such, Lumeca as a company, puts in place Incident Response Planning, which includes breach reporting training. We have a culture of safety and encourage all employees and contractors to report anything of concern, even if they are not sure of the level of risk. We investigate these reports to determine if Personal Information was breached. Should a breach occur, our Incident Response Team assesses the risk to you using privacy risk assessment standards that meet federal privacy law requirements.

The Incident Response Plan is intended to respond rapidly to determine the cause of the breach, what information was breached, and stop or mitigate or contain the loss of Personal Information. We document these practices and keep a record of any incident that occurs. Part of this investigation includes an assessment of the risk of harm that is posed to you by the loss of this information.

Should we determine that the breach poses a risk of harm to you, we will notify you in a reasonable time directly by email, letter mail or telephone and suggest and support ways to mitigate that risk. We also would report this breach to the Office of the Federal Privacy Commissioner to meet our reporting requirements under PIPEDA and potentially to provincial privacy commissioners as well.

Finally, we evaluate what the cause of the breach was. If, for example, the cause was human error, then appropriate evaluation of the causes of the error will take place. The Incident Response Team will decide on go forward steps that can reduce the chances of such an event from occurring again. Even without an incident occurring, Lumeca’s Privacy & Security team is constantly evaluating current and emerging threats and putting into place safeguards and controls that can prevent these from occurring.

Business Continuity & Disaster Recovery

Servers that house electronic data are vulnerable to real world disasters, such as fires or floods. As such, we have taken reasonable steps to back up your Personal Information daily to preserve the integrity of the information. This backup is stored on a different server in another location so that it may be recovered should something happen to the original server. This course of action allows us to limit any interruptions in service that may occur from a server malfunctioning. We would spin up a new instance of the product and its information as quickly as possible in order not to interrupt your access to the product and the services you seek through the product.

To prepare for such an event, it is important to always have a backup method of communication with your Health Provider. This can be as simple as asking the provider how they will contact you if the internet or mobile network is not working or breaks down. By having a plan in place, you and your provider can be sure that healthcare services are not disrupted or delayed.

Lumeca Web Sites

Lumeca provides clients and others with general access to public web sites and, in certain cases, restricted access to extranets. Our web servers track general information about visitors such as their domain name and time of visit. Lumeca’s web servers also collect and aggregate information regarding which pages are being accessed as well as information volunteered by visitors through online surveys or subscriptions to electronic newsletters. This information is used internally, only in aggregate form, to better serve visitors by helping us to:

  • Manage our sites
  • Diagnose any technical problems
  • Improve the content of our website

During an individual’s use of the Internet, he or she will learn of the common use of “cookies.” “Cookies” are files or pieces of information that may be stored in a computer’s hard drive when an individual visits a web site. Most Internet browsers are initially set to accept cookies. If you do not wish to accept cookies, you can set yours to refuse cookies or to alert you when cookies are being sent. In certain cases, refusing to accept cookies may affect our ability to provide you access to certain information over the Internet.

It must be stressed that all medical content found on this website is for reference only and should not be seen as a medical prescription or opinion. It does not represent a complete or precise analysis of your current state of health. Via this website we do not offer personalized medical guidance, nor do we offer treatment advice relating to specific patients. Only your doctor or another health professional can decide if any treatment found on this website is right for you. Consulting the content of this page should not replace a visit with your doctor or health professional. YOU SHOULD NOT NEGLECT OR POSTPONE A MEDICAL APPOINTMENT DUE TO INFORMATION THAT YOU HAVE FOUND ON THIS WEBSITE. PLEASE CONSULT YOUR DOCTOR OR ANOTHER QUALIFIED HEALTH PROFESSIONAL BEFORE FOLLOWING ANY TREATMENT ADVICE ON THIS WEBSITE. By using this website, you acknowledge that you have read and understood this legal notice and agree to the terms of use.

Amendment of Lumeca Practices and this Policy

This statement is in effect as of November 11, 2022. Lumeca will, from time-to-time, review and revise its privacy practices and this Policy. In the event of any amendment, an appropriate notice will be posted on Lumeca’s website. Policy changes will apply to the information collected from the date of posting of the revised Policy to Lumeca’s website as well as to existing information held by Lumeca.

Contacting Us

In the event an individual has questions about (a) access to Personal Information; (b) the collection, use, management, or disclosure of your Personal Information; or (c) this Policy, that person should contact the Chief Privacy Officer in writing.

At Lumeca, we are committed to maintaining and protecting the Personal Information under our control. In fulfilling this mandate, we have designated an individual (and in certain cases, individuals) who are accountable for our compliance with this Policy.

If you have any concerns, inquiries, or suggestions regarding this Policy, please submit them in writing (either by mail or email) to:

Mail: Attention of: Privacy Officer
Lumeca Health Inc.
Suite 220 – 10 Research Drive
Regina, SK S4S 7J7
Email: privacy@lumeca.com

We will deal quickly with your request to see your information, and always respond to you within 30 days. If we need to extend the time, or we must refuse your request, we will tell you why, subject to any legal restrictions, and we will notify you of the new deadline, the reasons for the extension, and your rights under applicable legislation respecting the extension.

Individuals who feel that their privacy rights have been infringed upon can complain to the Privacy Commissioner of Canada. The Commissioner’s role is that of an ombudsman, trying to find solutions to privacy problems, and resolving complaints through negotiation and persuasion, and using mediation and conciliation if appropriate.

Please visit the Privacy Commissioner of Canada’s website at http://www.privcom.gc.ca for details.