Privacy and Security Policy

Effective Date: June 25, 2025

Last Updated: August 25, 2025

1. Introduction

CyberMD Inc ("we," "us," "our") is committed to protecting the privacy and security of personal health information ("PHI") in accordance with the Personal Health Information Protection Act, 2004 ("PHIPA"), the Personal Information Protection and Electronic Documents Act ("PIPEDA"), the Freedom of Information and Protection of Privacy Act ("FIPPA"), and other applicable Canadian privacy laws.

This Privacy and Security Policy ("Policy") explains how we collect, use, disclose, and safeguard personal health information when healthcare providers use CyberMD AI, our AI-powered medical documentation service.

2. Our Role Under PHIPA

CyberMD AI operates as an agent of health information custodians under PHIPA. We process personal health information solely on behalf of healthcare providers who remain the health information custodians responsible for the PHI of their patients. We do not make independent decisions about the collection, use, or disclosure of PHI except as directed by the health information custodian or as required by law.

3. Definitions

Personal Health Information (PHI): Information about an individual's physical or mental health, healthcare history, or healthcare provider interactions.

Health Information Custodian: Healthcare providers, hospitals, and other entities defined under PHIPA who have custody or control of personal health information.

4. Information We Collect

4.1 Patient Information

We collect and process the following types of information on behalf of health information custodians:

  • Identification Information: Name, date of birth, health card number, contact information
  • Clinical Information: Medical history, symptoms, diagnoses, treatment plans
  • Audio Recordings: Recordings of patient-provider conversations during clinical encounters
  • Generated Documentation: Transcriptions, clinical notes, and summaries

4.2 Healthcare Provider Information

  • Professional identification and credentials
  • Account and authentication information
  • Usage data and preferences
  • Communication records

4.3 Technical Information

  • Access logs and audit trails for security and compliance purposes

5. How We Collect Information

Information is collected through:

  • Direct Entry: Healthcare providers entering patient information
  • Audio Recording: With explicit patient consent, recording clinical conversations
  • Automated Processing: AI-powered transcription and documentation generation
  • System Integration: Data imported from or exported to electronic medical records (EMRs)

6. Consent

6.1 Patient Consent

We require healthcare providers to obtain explicit patient consent before:

  • Recording any clinical conversation
  • Processing patient information through our AI systems
  • Generating clinical documentation

Patients have the right to:

  • Refuse consent for recording or AI processing
  • Withdraw consent at any time
  • Request alternative documentation methods

6.2 Implied Consent

In accordance with PHIPA, implied consent may be relied upon for:

  • Providing healthcare services
  • Sharing information between healthcare providers for continuity of care
  • Other purposes specifically permitted under PHIPA

7. Use of Information

7.1 Primary Uses

We use PHI exclusively to:

  • Transcribe clinical conversations into text
  • Generate clinical documentation (SOAP notes, referral letters, summaries)
  • Provide healthcare providers with tools to review and edit documentation
  • Create patient-friendly visit summaries when requested

7.2 Prohibited Uses

We explicitly DO NOT:

  • Use patient PHI to train, develop, or improve our AI models
  • Share PHI with third parties for commercial purposes
  • Conduct research on patient data without explicit consent and ethics approval
  • Create patient profiles for marketing or advertising

7.3 De-identified Data

We may use de-identified, aggregated data to:

  • Improve system performance and reliability
  • Generate usage statistics
  • Conduct quality assurance

Only when such use cannot reasonably identify any individual.

8. Disclosure of Information

8.1 Authorized Disclosures

We may disclose PHI only:

  • As directed by the health information custodian
  • With explicit patient consent
  • To other healthcare providers for continuity of care (with appropriate consent)
  • As required or permitted by law

8.2 Legal Requirements

We may disclose PHI without consent when required by:

  • Court orders or subpoenas
  • Law enforcement investigations (as permitted by PHIPA)
  • Public health authorities for mandatory reporting
  • Professional regulatory bodies for investigations

8.3 Service Providers

We work with carefully selected service providers who:

  • Are bound by comprehensive data protection agreements
  • Process data only on our explicit instructions
  • Meet or exceed our security standards
  • Provide equivalent privacy protection to Canadian law
  • Are contractually prohibited from using PHI for any secondary purpose
  • Submit to regular security audits and assessments
  • Maintain appropriate certifications (e.g., SOC 2, ISO 27001, HIPAA compliance where applicable)

9. Security Measures

9.1 Technical Safeguards

  • Encryption: Industry-standard encryption for all PHI in transit and at rest
  • Access Controls: Role-based access control with principle of least privilege
  • Authentication: Multi-factor authentication available
  • Audit Logging: Comprehensive logs of all PHI access and modifications
  • Network Security: Enterprise-grade security infrastructure

9.2 Administrative Safeguards

  • Staff Training: Regular privacy and security training for all personnel
  • Confidentiality Agreements: All staff and contractors sign confidentiality agreements
  • Access Management: Regular review and update of access permissions
  • Incident Response: Documented incident response and breach management procedures

9.3 Security Assessments

We conduct:

  • Annual security risk assessments
  • Regular penetration testing
  • Ongoing vulnerability scanning
  • Privacy impact assessments for new features

10. Data Location and Residency

10.1 Canadian Data Storage

All PHI is permanently stored in Canada. We use Supabase infrastructure hosted in Canadian data centers to ensure compliance with Canadian privacy laws. Your data remains under Canadian jurisdiction and privacy protection.

10.2 International Processing with Safeguards

While all data storage remains in Canada, certain data processing activities may involve carefully selected international service providers. When this occurs:

  • Data Protection Agreements: We execute comprehensive data protection agreements that meet or exceed PHIPA requirements
  • Equivalent Protection: All international processors must provide privacy protection equivalent to Canadian standards
  • Temporary Processing Only: PHI is only temporarily processed and never permanently stored outside Canada
  • Encryption: All data remains encrypted during any international processing
  • No Secondary Use: Contractual prohibitions against any use of PHI beyond the specific processing service
  • Audit Rights: We maintain the right to audit all international processors

11. Data Retention and Deletion

11.1 Retention Period

We retain PHI for the minimum period necessary:

  • Active Records: As long as the healthcare provider maintains an active account
  • Audio Recordings: Automatically deleted 30 days after transcription
  • Clinical Notes: Retained until exported to EMR and deletion confirmed by provider
  • Archived Records: 7 years from last activity (or as required by provincial regulations)

11.2 Secure Deletion

When PHI is no longer needed, we ensure secure deletion using industry-standard methods with full audit trails.

12. Patient Rights

12.1 Right to Access

Patients have the right to:

  • Request access to their PHI
  • Receive copies in accessible formats
  • Understand how their information is used

Requests should be directed to their healthcare provider, who can facilitate access through our platform.

12.2 Right to Correction

Patients may request corrections to their PHI by:

  • Contacting their healthcare provider
  • Providing documentation supporting the correction
  • Having corrections noted in their record

12.3 Right to Withdraw Consent

Patients can withdraw consent at any time by:

  • Notifying their healthcare provider
  • Submitting a request through our privacy portal
  • Understanding that withdrawal may affect service delivery

12.4 Right to Complaint

Patients may file privacy complaints with:

  • Our Privacy Officer: privacy@cybermd.ca
  • Their healthcare provider's privacy officer
  • The Information and Privacy Commissioner of Ontario: www.ipc.on.ca

13. Breach Management

13.1 Breach Response

In the event of a privacy breach:

  1. Immediate Containment: Stop the breach and secure systems
  2. Assessment: Evaluate scope and impact
  3. Notification:
    • Health information custodians notified immediately
    • IPC notified as required by PHIPA
    • Affected individuals notified through their healthcare provider
  4. Remediation: Implement measures to prevent recurrence

13.2 Breach Prevention

We maintain:

  • 24/7 security monitoring
  • Automated threat detection
  • Regular security updates and patches
  • Employee security awareness training

14. AI and Machine Learning

14.1 Our Commitment

  • No Training on Patient Data: We never use identifiable patient PHI to train our AI models
  • Third-Party AI: We use OpenAI's services with strict data protection agreements
  • Data Processing Agreement: OpenAI is contractually prohibited from using PHI for model training

14.2 AI Transparency

  • Healthcare providers are informed when AI is used
  • AI-generated content is clearly marked
  • Providers maintain full control over final documentation

15. Third-Party Services

15.1 Infrastructure Providers

We use carefully selected third-party service providers under strict data protection agreements. All providers are contractually prohibited from using PHI for any purpose beyond providing services to us.

15.2 No Marketing or Analytics

We do not use:

  • Marketing or advertising services that process PHI
  • Analytics that track individual patients
  • Social media pixels or tracking

16. Updates to This Policy

We may update this Policy to reflect changes in privacy laws, new features, or improved practices. Significant changes will be communicated to healthcare providers through our platform.

17. Compliance and Certification

17.1 Current Compliance

  • PHIPA (Personal Health Information Protection Act)
  • PIPEDA (Personal Information Protection and Electronic Documents Act)
  • FIPPA (Freedom of Information and Protection of Privacy Act)

17.2 Infrastructure Compliance

Our infrastructure maintains:

  • SOC 2 Type II certification (annual audits)
  • HIPAA compliance (with BAA available)
  • GDPR-ready infrastructure with regional data residency

18. Contact Information

Privacy Officer

Email: privacy@cybermd.ca

General Inquiries

Email: support@cybermd.ca

Website: www.cybermd.ca

Compliance Team

Email: legal@cybermd.ca

19. Acknowledgment

By using CyberMD AI services, healthcare providers acknowledge that they:

  • Have read and understood this Policy
  • Will obtain appropriate patient consent
  • Remain the health information custodian for their patients' PHI
  • Will comply with applicable privacy laws

© 2025 CyberMD Inc. All rights reserved.