Notice of Privacy Practices

About This Notice

MediNote Telehealth Inc. ("MediNote") is committed to protecting the privacy and security of your personal health information. As a Canadian telehealth provider, we comply with:

• PHIPA – Personal Health Information Protection Act, 2004 (Ontario)
• PIPEDA – Personal Information Protection and Electronic Documents Act (Canada)
• Provincial health privacy laws – Where applicable in other provinces
• HIPAA – Health Insurance Portability and Accountability Act (United States) – for any US-based data storage or services

This Notice of Privacy Practices explains your rights and our obligations regarding your personal health information (PHI).

Your Rights

When it comes to your health information, you have certain rights:

How We Use and Disclose Your Information

Uses and Disclosures That Do Not Require Your Authorization

We may use and share your health information without your specific permission for:

• Treatment – To provide, coordinate, or manage your health care. For example, sharing information with specialists, pharmacies, or laboratories involved in your care.
• Health Care Operations – For quality assessment, training, accreditation, and other activities necessary to run our practice.
• As Required by Law – When required by federal, provincial, or territorial law, including mandatory public health reporting.
• Public Health Activities – To report diseases, injuries, vital events, and conduct public health surveillance.
• To Prevent Serious Harm – When necessary to prevent or reduce a risk of serious harm to you or others.
• Health Oversight – To regulatory agencies for audits, investigations, and licensure activities.
• Legal Proceedings – In response to a court order or valid legal process.
• Research – For health research approved by an ethics review board, with appropriate safeguards.

Uses and Disclosures That Require Your Authorization

We will obtain your written consent before:

• Marketing activities or communications
• Sale of your health information
• Sharing psychotherapy notes (if applicable)
• Most other uses and disclosures not described in this Notice

You may revoke your authorization at any time in writing, except to the extent we have already acted on it.

Our Responsibilities

We are required to:

• Maintain the privacy and security of your protected health information
• Notify you promptly if a breach occurs that may have compromised your information
• Follow the duties and privacy practices described in this Notice
• Not use or share your information other than as described here unless you tell us we can in writing
• Provide you with a copy of this Notice upon request

Security Measures

We have implemented comprehensive safeguards to protect your health information:

• Technical Safeguards – Encryption of data in transit (TLS 1.3) and at rest (AES-256), secure authentication, intrusion detection systems
• Administrative Safeguards – Staff privacy training, access controls, privacy impact assessments, incident response procedures
• Physical Safeguards – Secure data centers with 24/7 monitoring, access controls, and environmental protections
• Audit Controls – Comprehensive logging of all access to health information

Breach Notification

In the event of a breach of your personal health information, we will:

• Notify you as soon as reasonably possible, and no later than required by law
• Describe the nature of the breach and the information involved
• Explain what we are doing to investigate and mitigate the breach
• Provide steps you can take to protect yourself
• Report to the Information and Privacy Commissioner as required

Changes to This Notice

We may change the terms of this Notice at any time. Changes will apply to information we already have about you as well as any information we receive in the future. The revised Notice will be posted on our website and available upon request.