Last updated: October 6, 2021
- We refer to the services we provide through our platform as “Services”.
- We use the word “Subscriber” to refer to a healthcare organization that subscribes to and pays for our platform. Subscribers may be referred to as a “health information custodian”, a “covered entity” or a “controller” depending on their location and the privacy laws applicable to them.
- We use the word “you” to refer to any individual user of our Services, such as a healthcare practitioner or staff member at a Subscriber’s organization.
- Baysil is a service provider to Subscribers and may be referred to as an “agent”, “business associate” or “processor” of the Subscriber.
This Policy may be updated or amended from time to time.
Medical Data. If you are a patient or client of one or more of our Subscribers, note that your healthcare practitioners control some of the information that gets collected about you, including your billing details and medical data. Please contact your healthcare practitioners for any questions about the information they collect about you. Also refer to the section titled Patient / Client Data below for further information.
Third-Party Services. We may offer integrations with third-party services that you may choose to use with our Services, such as email services, payment processing, assessment tools, and finance management. Please note that these third-party services have their own policies for collecting private information. You must refer to the privacy policies of those third parties for information about what personal information they collect.
Information We Collect
Contact Information. We collect your contact information, such as your name and email address, when you set up your user account for our Services. We use your contact information to activate your user account, give you access to the Services, and to send you notices about your user account.
Billing Information. When a Subscriber subscribes to our Services, we also collect credit card information to process payment. Credit card information is provided directly to our payment processor and is processed in a PCI-compliant manner. We do not keep your credit card information.
Log and Device Information. When you access and browse our Services, we collect information about how you are accessing our Services, such as your internet or mobile network connection, your browser or the type of mobile device you are using (if applicable). We use this log and device information to identify how our Services are being accessed and used so we can optimize them for the types of connections, browsers and devices being used.
Legal Basis (GDPR EU/UK)
For personal information that is subject to the General Data Protection Regulation (GDPR), we rely on the following legal bases for collecting and using your personal information:
- Your consent
- Our legitimate interests (which are not overridden by your privacy rights), such as operating our business, understanding and improving our Services, communicating with our Subscribers and users about our Services, improving our Services and protecting our legal rights and interests.
You may withdraw your consent at any time. Where we are using your personal information for our legitimate interests, you have the right to object to that use. See below under Your Rights for how to withdraw consent or object.
If you are a patient or client of one of our Subscribers, please contact your healthcare providers if you have any questions about the legal basis for collecting and using your personal information. Our Subscribers may have a different legal basis for collecting and using a patient or client’s personal information, such as providing health care or treatments as a regulated healthcare professional.
Patient / Client Data
Personal Health Data. Subscribers use our Services to collect personal information from their patients or clients. These records may include a person’s name, contact, health insurance and billing information, medical information, appointment history and other data (“Patient/Client Data”). This information is sometimes referred to as “personal health information”, “protected health information”, “data concerning health” or “sensitive data” depending on the location of the Subscribers and the privacy laws applicable to them. If you are a patient or client, Patient/Client Data is collected from you when you visit your Subscriber healthcare provider and when your healthcare provider sets up an account for you.
Subscriber’s Role. Subscribers retain sole control over Patient/Client Data and may be referred to as a “health information custodian”, a “covered entity” or a “controller” depending on their location and the privacy laws applicable to them.
- What Patient/Client Data to collect;
- How the Subscriber will use the Patient/Client Data; and
- Who has access to Patient/Client Data.
Subscribers are responsible for complying with laws and regulations governing the use of Patient/Client Data, and for determining the legal basis for such use.
Baysil’s Role. Baysil is a service provider to Subscribers and may be referred to as an “agent”, “business associate” or “processor” of the Subscriber. Baysil stores Patient/Client Data in its secure data centers and makes it available to Subscribers and their users through our Services. Baysil otherwise has no control over Patient/Client Data. Baysil will only access Patient/Client Data on the instructions of the Subscriber or its users, or, in rare cases, where needed in order to prevent or address technical problems or if required by law or court order.
Storage Location. Patient/Client Data is stored in Canada. Please note that we use US-based service providers for appointment reminders sent by email or SMS and, therefore, Patient/Client Data contained in appointment reminders will go through and may be stored temporarily in the United States. All our data centres and service providers maintain a high level of security and are compliant with applicable privacy laws.
Patient/Client Rights. Patients and clients have certain rights with respect to their Patient/Client Data, which may include knowing what information their Subscriber healthcare provider has about them, correcting any inaccurate Patient/Client Data, obtaining a record of their Patient/Client Data and, in certain circumstances, deleting or removing their Patient/Client Data. Subscribers have strict legal and regulatory obligations around Patient/Client Data and may not always be permitted to delete or remove Patient/Client Data.
Sharing Your Information
We do not sell or distribute personal information to third parties for their own commercial or marketing purposes. We will only share personal information we collect in the circumstances listed below.
Suppliers and Service Providers. In order to operate our business and provide the Services to our Subscribers and their users, we may need to share a limited amount of personal information, including Patient/Client Data, with our third-party suppliers and service providers. Before sharing personal information, we ensure that the third parties receiving the personal information have provided appropriate safeguards, and that privacy rights are protected and preserved. Some of the areas where we use third-party suppliers and service providers include:
- Our data centers where all platform data is stored
- Customer support services to help us collect feedback and manage our support services
- Communication services to send out email and SMS notices or reminders
- Payment processors
Corporate Transactions. We may share personal information in connection with negotiating or carrying out a financing or acquisition of our business, a merger or amalgamation with another business, or a sale of all or part of our company assets. Before sharing personal information, we will ensure that appropriate confidentiality and non-disclosure undertakings are in place. We will not share Patient/Client Data in circumstances where such undertakings are not in place.
Compliance with Laws. We may disclose personal information to a third party if we are required to do so by applicable law, government request, court order or regulatory body. We may also be required to disclose personal information to enforce our legal rights, to enforce security requirements, or to respond to an emergency which we believe, in good faith, requires us to disclose personal information. In such instances, if permissible, we will make every reasonable effort to give you as much notice as possible regarding the disclosure of your personal information, what information was disclosed, and why. We will not disclose Patient / Client Data unless legally required to do so.
Anonymized/Aggregated Data. Baysil may use computer-generated algorithms to gather anonymous and aggregated information from our Subscribers and their Patient/Client Data in order to assist in our continued development and improvement of the Services, and for research, data analysis, benchmarking, statistics or trend analysis. We will ensure that none of the information we gather identifies, or could be used to identify, any user, patient, or client. Baysil may share such anonymized information with Subscribers and others, for example, by providing insights into clinical conditions and workflows.
We protect all personal information, including Patient/Client Data stored in our platform, by:
- Using industry standard security controls such an encryption and an SSL (Secured Sockets Layers) certificate to ensure information is transmitted over a secured connection between your browser and our web server.
- Using state-of-the-art data centres with appropriate security and compliance certifications, such as SOC 2 and EU-US Privacy Shield that are HIPAA compliant.
- Having our personnel sign strict confidentiality agreements to ensure they understand the confidential nature of the data we process, and so they only access your account when you request assistance from us.
- Requiring password protection of your user account with a password set by you. We cannot access or identify your password. The only way to recover a password is for you to initiate a reset request for your use of our Services.
While we employ industry standard measures to protect your information, no electronic communication can ever be completely secure. You share responsibility for protection of your personal information by keeping your username and password confidential.
We retain personal information only for as long as necessary to achieve our stated purposes, or as required by applicable law. For example, billing information is kept for as long as a Subscriber account is active and for a reasonable period after it has been deactivated in the event the Subscriber wishes to re-activate the account. User account information may also be retained as necessary to comply with our legal obligations, resolve disputes or maintain our relationship with our Subscribers. Credit card information is never kept or stored by us.
We do not delete Patient/Client Data you collected, even if your Subscriber account is deactivated. This is necessary as that information may be used by other Subscribers who share in the provision of care of your patient or client. However, you may contact us if there are special circumstances in which you need Patient/Client Data deleted.
Patient and Client Rights
Individuals have certain rights with respect to their personal information. These rights are set out below. Patients and clients of our Subscribers may exercise any of these rights with respect to their Patient/Client Data by contacting their healthcare providers.
Correction and Deletion. Patients and clients may update, correct or delete their account information at any time by contacting their authorized healthcare providers.
Withdrawing Consent. Where we have relied on patient or client consent to use their personal information, patients and clients have the right to withdraw that consent at any time and may do so by requesting their authorized healthcare providers to withdraw their consent.
Access and Portability. Patients and clients have the right to request a record of the personal information collected about them and to ask that the information be provided in a structured electronic format. Patients and clients can access this information by requesting it from their authorized healthcare providers. However, there may be some cases where certain information about the patient or client cannot be disclosed if it would mean disclosure of personal information of another person or other confidential information, or if it would compromise our security systems.
Restriction and Objection. In certain limited circumstances, individuals in the EU may request that we restrict our use of their personal information and, where we rely on legitimate interests as the legal basis for using their personal information, patients and clients have the right to object to such use. In these cases, we can be required to no longer use their personal information; however, this may mean that certain components of our Services cannot be made available to these patients and clients, and to their authorized healthcare providers. If patients and clients wish to exercise their right to restrict or object, they may contact us.
Complaints. Patients and clients have the right to lodge a complaint with a supervisory authority; that is, the independent public authority responsible for monitoring data protection laws in their country. Patients and clients may also contact the Information and Privacy Commissioner of Ontario for Ontario matters ( http://www.ipc.on.ca) or the Privacy Commissioner of Canada for international matters and inter-provincial matters ( http://www.priv.gc.ca).