Patient Information Governance Policy

The Clinique dentaire B. Fabre et associés is aware of its responsibilities with regard to the protection of personal information.

This policy sets out the rules regarding the governance of patient personal information held by the clinic. It is published on the clinic's website.

1. Person responsible for the protection of personal information

Annabelle Laurin is designated as the person responsible for the protection of personal information (Privacy Officer) held by the Clinique dentaire B. Fabre et associés. She can be reached by telephone at 450-653-4050 or by e-mail at protection_rp(a)cliniquebfabre.com.

She has received training in the protection of personal information.

In compliance with the law, she receives and handles all requests related to the protection of personal information, regardless of their nature:

• she receives and processes requests for access, rectification, copies of files, restriction or refusal of access, and withdrawal of consent;
• she manages confidentiality incidents;
• she keeps a register of confidentiality incidents;
• she notifies the persons concerned of confidentiality incidents that present a risk of serious harm;
• she notifies the Commission d'accès à l'information of confidentiality incidents that present a risk of serious harm;
• she maintains the logbook;
• she may make recommendations concerning the protection of personal information;
• she may propose the holding of training activities on the protection of personal information.

2. Personal information collected

The clinic only collects personal information that is necessary for the provision of dental care, and that is required by the laws and regulations governing the practice of dentistry in Quebec and Canada.

2.1 What information does the dental clinic collect?

The clinic collects the personal information listed in sections 15 and 16 of the Regulation respecting the keeping of offices and records and the cessation of practice of members of the Ordre des dentistes du Québec, namely:

• the patient's name, sex, date of birth, address, email and telephone number;
• the patient's medical and dental history and background.

The dentist also records the following information in the patient's dental record:

• date of consultation;
• diagnosis;
• treatment options and prognosis;
• record of operations and description of all forms of treatment carried out;
• materials and medications used in treatment;
• written prescriptions for medication or treatment;
• significant elements of any verbal or written communication with or about the patient;
• results of examinations carried out, diagnostic elements and reports of radiological examinations, as well as all models;
• annotations relating to information provided to the patient concerning acceptance of treatment, and annotations relating to receipt of the patient's consent to treatment;
• the name, concentration and quantity of products used in the case of general, regional or local anesthesia, or conscious or deep sedation;
• information and recommendations provided to the patient regarding treatment;
• the date the patient was referred to a health professional, the name of the health professional, the purpose of the consultation and the report issued as a result of the consultation;
• annotations, correspondence and any other documents relating to services rendered by the dentist and any copies of documents or certificates issued to the patient;
• information on professional fees and any amounts billed to the patient;
• any note signed by the patient or his or her representative, when he or she has requested the removal of an item or document, indicating the nature of the document and the date of its removal.

The dentist collects the information contained in the Ordre des dentistes du Québec's confidential medical-dental questionnaire.

For billing purposes, the clinic may also collect the patient's health insurance number, health insurance card expiry date, name of insurance company, last-resort financial assistance status, and so on.

In the case of a financial agreement signed with the patient, the clinic collects the credit card number, expiry date and name of the cardholder, which it retains for the duration of the agreement in question.

2.2 How and from whom is it collected?

Personal information is collected from the person concerned prior to the first episode of care, using the confidential medical-dental questionnaire.

The personal information of a minor under the age of 14 is collected from the person with parental authority or the guardian.

The personal information of a minor aged 14 or over is collected, at the minor's option, from the minor himself or herself, or from the person with parental authority or the tutor.

The personal information of a person of full age who lacks legal capacity is collected from the tutor or mandatary.

At the time of the initial collection of personal information, and thereafter upon request, the patient or his or her legal representative is informed in clear and simple terms using the form entitled "The clinic informs you" of the following elements:

• the name of the organization collecting the information;
• the purposes for which the information is collected;
• the means by which the information is collected;
• the right to access and rectify the information;
• the possibility of restricting or refusing access to this information and the terms and conditions;
• the right to withdraw consent to the communication or use of the information collected;
• how long the information will be kept.

3. Safeguards for the protection of personal information collected

3.1 Who within the company has access to the personal information collected?

• the clinic's professionals, employees, trainees or students have access to patient personal information only to the extent necessary for the performance of their duties;
• dentists, dental hygienists and dental assistants have access to health information required to provide dental care;
• administrative staff have access to information required for billing, appointment scheduling and other administrative purposes.

All clinic employees, including interns and students where applicable, have signed a confidentiality agreement.

All of the clinic's professionals, employees, trainees and students are familiar with this policy, and have benefited from privacy training and awareness activities at a corporate seminar held on September 15, 2023.

3.2 Storage location and security measures to protect personal information

Patients' personal information is recorded in the dental record.

Dental records (active and archived) are kept in a locked room to which the public does not have access.

Digital records benefit from additional safeguards to restrict access to authorized persons only (encryption, password-controlled access privileges based on responsibilities, secure off-site daily archiving).

3.3 Logging uses of personal information

The Privacy Officer validates daily the report of consultations and uses of health information from the dental software.

3.4 Privacy Impact Assessment

In accordance with the law, a Privacy Impact Assessment (PIA) is carried out for any project involving the acquisition, development or redesign of an information system or the electronic delivery of services involving the collection, use, disclosure, retention or destruction of personal information.

The law defines "technological product or service" as any equipment, application or service required to collect, store, use or disclose information, such as an information bank or system, a telecommunications network, a technological infrastructure, software or a computer component of medical equipment.

A PIA is also carried out when personal information is to be disclosed to a partner/supplier outside Quebec, and only if the assessment shows that the information would benefit from adequate protection, particularly with regard to generally recognized privacy principles, will it be transmitted, and after informing the person(s) concerned.

3.5 Disclosure to third parties

Patient personal information may not be disclosed to third parties without the patient's consent, except as provided by law.

4. Patient rights

To exercise any of the rights set out in this section, the patient must send a detailed request in writing to Annabelle Laurin at protection_rp(a)cliniquebfabre.com. Upon receipt of the request, the patient will receive an acknowledgement of receipt.

In the event of refusal of a request, the Privacy Officer shall state the reasons for the refusal to grant the request and indicate the provision of the law on which the refusal is based, the remedies available and the time limit within which they may be exercised.

4.1 Right of access and procedure

If the patient requests access to his or her dental record, the Privacy Officer will provide free access to the dental record within 30 days of receipt of the request and during the clinic's regular business hours.

4.2 Right of rectification and procedure

The patient has the right to:

• have any inaccurate, incomplete or equivocal information with respect to the purposes for which it was collected corrected in a document concerning him or her and included in any file concerning him or her;
• to have deleted any information that is out of date or not justified by the purpose of the file created about him/her;
• to add any comments made in writing to the file.

If the patient makes a request of this nature, the Privacy Officer will respond within 30 days of receipt, and, as the case may be, will issue the patient with a copy of the document or part of the document attesting to the correction or deletion of the information, or an attestation that the patient's written comments have been placed in the file.

4.3 Right to obtain a copy and procedure

Patients have the right to obtain a copy of their dental records. A fee may be charged for reproduction or transmission, and the patient will be advised of the approximate cost. Copies of paper records will be delivered by hand or sent by registered mail.

When the file is on digital media, it will be communicated to the applicant in a structured, commonly used technological format, via a secure transmission method.

4.4 Restricting or refusing access to personal information

The patient has the right to restrict access to his or her health information or to refuse that information concerning him or her be made available to certain specified persons, in certain circumstances.

4.5 Right to complain and procedure

Patients have the right to file a complaint regarding the collection, use or disclosure of their personal information to a third party, or for any other reason related to the protection of their personal information.

The complaint must contain all the details needed to understand the situation, the person involved, his or her position, the date of the alleged events, the presence of witnesses and their names, if any.

The person responsible for protecting personal information will investigate the matter and meet with all those involved.

All employees and self-employed workers of the dental clinic are required to cooperate in the investigation process, and to do so in the strictest confidence, except to the extent necessary to analyze the complaint.

At the end of the investigation, a report will be produced by the person responsible for the protection of personal information. The report will establish whether the allegations are well-founded and, if so, will make recommendations that may include administrative or disciplinary measures, the implementation of measures to prevent the recurrence of similar incidents, a report to the Commission d'accès à l'information, depending on the nature of the incident, or any other measure deemed appropriate.

The person responsible for the protection of personal information will inform the complainant in writing of the findings of his or her investigation and of the measures that will be put in place.

5. Procedure in the event of a privacy incident

5.1 Definition of a privacy incident

The law defines "privacy incident" as :

• the unauthorized access to personal information;
• the unauthorized use of personal information;
• the unauthorized disclosure of personal information;
• the loss of personal information or any other breach of the protection of such information.

5.2 Procedure

When the Privacy Officer becomes aware of a privacy incident involving Personal Information, the Privacy Officer shall:

• take reasonable steps to reduce the risk of harm being caused and to prevent further incidents of a similar nature;
• record the incident in the incident log, even if the incident does not present a risk of serious harm;
• determine whether the incident presents a risk of serious harm being caused.

When assessing the risk of harm to an individual whose personal information is affected by a confidentiality incident, the Privacy Officer shall consider, in particular, the sensitivity of the information concerned, the apprehended consequences of its use and the likelihood that it will be used for harmful purposes.

When the incident presents a risk of serious prejudice, the Privacy Officer must, with due diligence, notify the Commission d'accès à l'information using the form provided by the Commission for this purpose, as well as any person whose personal information is affected by the incident. It may also notify any person or organization likely to reduce this risk, by communicating only the personal information required for this purpose without the consent of the person concerned.

6. Retention and destruction period

Dental records are kept for five years following the last entry or insertion in the record, in accordance with the law.

Personal information relating to supporting documents required to verify information contained in the clinic's records and books of account is retained for six years in accordance with the Income Tax Act.

At the end of these periods, personal information will be destroyed in a manner that preserves its confidentiality, using the following methods:

• paper files: shredding or incineration;
• electronic files: digital shredding;
• models: physical or digital shredding, or anonymization.

Policy approved on 2023-09-20 by Eva Bedkowska Fabre, DMD, President

Internet Privacy Policy

Through its Web site, Clinique dentaire B. Fabre et associés collects personal information about you.

The clinic is committed to protecting your personal information, and invites you to read this privacy policy.

Personal information collected automatically

When you connect to our Web site, certain personal information is exchanged between your computer and our server. This exchange is necessary so that the data contained on our site can be correctly communicated to the computer equipment you are using. This personal information is kept by the clinic solely for technical and statistical purposes related to the performance of our website.

This information includes:

• the domain name of your Internet service provider;
• your IP address;
• your browser (Explorer, Firefox, etc.);
• your operating system (Windows, Mac OS, etc.);
• the date and time of your visit;
• the Internet pages you visit.

Use of cookies

The clinic does not store any cookies permanently. Only a temporary cookie is used during your visit to our site to improve the performance of certain features.

You can deactivate cookies via your web browser. However, this deactivation may have the effect of restricting certain functionalities of our website.

Personal information voluntarily submitted by e-mail or form

Personal information that you voluntarily provide to us by e-mail or via the appointment forms (regular and emergency) on our website, such as your name and e-mail address, will only be used to enable clinic staff to respond to you or your request, and will then be deleted.

Commitment to confidentiality

All clinic employees have signed a confidentiality agreement.

Responsible for the Privacy Policy

If you have any questions about this policy, or if you have any complaints about non-compliance with it, please contact Annabelle Laurin in writing at protection_rp(a)cliniquebfabre.com.