Date of Last Revision: July 31, 2018
The Caredove Referral Network (CRN) allows Users of Caredove Services (also referred to as Caredove.com) to handle referrals to health and community services. When you sign up to use Caredove.com you become a Caredove Referral Network Member (CRN Member) and are eligible to be assigned a Caredove Referral Network Role (“CRN Role”). CRN Members agree to act responsibly in accordance with their assigned roles, as set out in this document.
“Referral Sender” means any CRN Member who sends referral information to other CRN members via Caredove.com.
“Referral Receiver” means any CRN Member who receives referral information from other CRN members via Caredove.com.
“Listings Manager” means any CRN Member who updates service listings information for an organization.
“Organization Administrator” – means any CRN Member who administers the use of Services within their organization’s Authorized Workforce.
“Network Administrator”– means any CRN Member who administers the use of all CRN Members’ accounts within a network of Organizations (a “Network”) that have each entered into the Caredove Member Agreement.
“Network Listings Manager” – means any CRN Member who can update service listings for any organization that is part of a Network.
“Caredove Super Administrator” – means a person employed by Caredove who operates and oversees the Caredove.com.
Note: All roles except for Referral Sender require that the CRN member is part of an Authorized Workforce.
(a) Comply with Relevant Privacy Laws and will have implemented the required internal policies and procedures to be compliant with these laws.
Different jurisdictions have different legislation, often with different (but complimentary) laws for personal information and for personal health information. For example, in Canada, there are two federal privacy laws (the Privacy Act & the Personal Information Protection and Electronic Documents Act) as well as provincial laws (such as Ontario’s Personal Health Information Protection Act – PHIPA). View a summary of Canadian privacy laws. In the USA, the Health Information Portability & Accountability Act (HIPAA) establishes the national standards for health privacy.
There are some common themes within most privacy laws, such as (but not limited to):
– The patient consenting to the collection, use, and disclosure or their records; – Limiting collection, use, and disclosure of records to their intended purpose; – Ensuring the accuracy of information; – Implementing safeguards to protect records against loss, theft or unauthorized access; – Notifying the patient of unauthorized access to their records; – Granting patients the right to obtain a copy of their records (with exceptions), request corrections, be notified of privacy breaches, control who has access to records and make complaints.
(b) Safeguard Referral Information by having technical and procedural safeguards to protect access to referral records shared within Caredove.com (e.g., storage/transfer/disposal of downloaded referral files and Caredove User account credentials), and manage referral information in a secure manner. Caredove publishes an audit record of users’ activity to support this.
(c) Submit Content Responsibly to Caredove.com such that it does not disclose information unsuitable for public disclosure, violate the privacy rights of others, contain inaccurate information and does not violate any intellectual property rights, copyrights, trademarks, or trade secrets. The CRN Member is solely responsible for any content they post.
(d) Be Subject to Account Management by the affiliated Organization Administrator, the affiliated Network Administrator, and/or the Super Administrator at Caredove. Administrators may monitor, modify, revoke, suspend, archive and delete account information and permissions.
(e) May Leave the Caredove Referral Network at any time by revoking agreement with the Member Agreement. When leaving the network, the CRN Member loses access to all Roles within Caredove.com. Consequently, the CRN Member cannot make or receive referrals, view personal health information or access historical records via Caredove.com.
If a CRN member changes Organization then the account is archived.
(f) Maintain Accurate Account Information in Caredove.com including name, email, phone, organization, job title, etc. Any changes shall be updated promptly.
(g) Notify Caredove of Any Breach or Suspected Breach of the Security of Caredove’s Services of which the CRN Member becomes aware and will take such action to mitigate the breach.
Upon discovery of referral information breach, where the breach involves the application of Caredove’s technology, this will trigger an application of Caredove’s Breach Management Policy. The impacted CRN members will cooperate with Caredove in the resulting investigation.
(h) Report Suspected Privacy Incidents and Breaches to their organization’s designated privacy lead, and respond in accordance with their organization’s privacy policies.
The organization’s privacy policies should also provide a definition of privacy incidents, breaches, and the procedures to follow. Learn about how Caredove defines privacy breaches and incidents for our employees.
CRN Members can be assigned a variety of roles, each of which comes with different responsibilities that are described in detail in this section.
(a) Collect Express Consent from the client for the purpose to collect, use and send referral information to the receiving organization (except when relevant legislation explicitly permits implied consent). Referral Senders do this by informing the client of the purpose of the referral, the referral receiver’s name, service information, other referral information as appropriate and sending the referral with the client’s agreement (usually verbal).
Express consent (or direct consent) — means that an individual is clearly presented with an option to agree or disagree with the collection, use, or disclosure of personal information. Most privacy legislation allows for implied consent (or implicit/deemed/indirect consent), which is where the behaviour of the patient clearly implies that that usage of the information is appropriate. The option to use implied consent is usually limited by legislation, thus Caredove recommends always collecting express unless the sender clearly understands the legislative framework and appropriateness of implied consent.
(b) Withdraw Consent upon Request from the client by promptly revoking the referral or unbooking the appointment on Caredove.com. Note that this can only be done via Caredove.com before the referral has been viewed in Caredove.com by the receiver, after which time the receiving organization should be contacted and notified directly by the Referral Sender.
In some jurisdictions this is referred to as a “Consent Directive” or “Lock Box”, to block the record(s) from being shared with specified people. Referrers should ensure that medical records the patient has marked confidential are not included in online referral information transmission.
(c) Provide Accurate Referral Information by exercising a high level of care to ensure that the referral information is correct, complete and up-to-date for the purpose of the referral. Referrers are exclusively responsible for the quality of client data. Caredove is not responsible for the quality of client data.
(d) Correct Erroneous Referral Information that can be reasonably expected to have an effect on the provision of health care to the client. To make a correction, the Referral Sender shall notify the Referral Receiver of the changes required to the referral via a method of their choosing (e.g., via phone, fax) or update the referral in Caredove which will notify the referral receiver automatically.
(f) Take Reasonable efforts to Follow up on Referrals to ensure referral completion, in accordance with their own internal policies and procedures. On Caredove.com the Referral Senders can view if the referral has been downloaded by the receiver, can view the referral outcomes as set by Referral Receivers, or otherwise contact Referral Receivers to determine status.
Caredove is not responsible for ensuring Referral Receivers process referrals in a timely way, or that clients receive referred services.
(g) Provide the Referral Information to the Client when the referral is sent, and at any other time by the client’s request.
The client can also request to view the referral’s activity history (e.g., who viewed, date and time of actions, changes, etc…).
(a) Keep Client Information Private that has been received through Caredove.com, in keeping with privacy laws and organizational policies.
(b) Retrieve Referrals in a Timely Manner by downloading the referral from Caredove.com promptly after it has arrived in the Caredove.com referral box. It is the responsibility of the Referral Receiver to monitor Caredove.com (and any notification emails) for incoming referrals on an ongoing basis and retrieve the referral information after which it will be securely deleted from the Caredove database.
In the event that referrals are not retrieved in a timely manner and become “orphaned”, Caredove will permanently delete the referral after providing reasonable notice to the Referral Sender and the Referral Receiver.
(a) Maintain Accurate Service Listing Information to enable the Referral Sender to make well informed referrals. Ensuring accuracy of contact information (such as contact email address and fax #) is especially important to prevent inadvertent transmission of personal information to an incorrect location.
(a) Support the Maintenance of Accurate Listing Information to help Organizations manage their own service listings, or to manage service listings on behalf an Organization.
(a) Oversee and Support Organization Administrators within the Network, including initial account setup and identity verification of Organization Administrator accounts, monitoring use, troubleshooting, and providing guidance.
(b) Adopt the Organization Administrator’s relevant responsibilities when acting on behalf of an Organization Administrator, such as verifying identities and ensuring that training has been provided when inviting new users. Network Administrators have full Organization Administrator privileges with their member organizations, which is provided primarily for the purpose of supporting the responsible Organization Administrators. In the circumstances when the Network Administrator is performing an Organization Administrator action, the Network Administrator will maintain full responsibility for their own actions and act with the same diligence and responsibility as the Organization Administrator.
(c) Grant CRN Members roles as Referral Senders who are able to refer to any service in the Network. The Network Administrator is responsible for identity verification of newly invited CRN Members.
(a) Bind the Organization into the Caredove Member Agreement, warranting that he or she has the authority required to do so. It is the first Organization Administrator that binds the organization, after which the Organization is considered to have entered into the Caredove Member agreement (becoming a Caredove Customer).
(b) Be the Primary Organization Contact with Caredove for activities related to Caredove Services.
(c) Grant Minimum Required User Permissions in Caredove.com for CRN Members to perform activities with their Organization including:
– Organization Administrators; – Referral Senders; – Referral Receivers; – Listings Managers
(d) Remove their Organization from a Network if the Organization wishes to be removed from a Network. This can be done by contacting Caredove Support and/or the Network Administrator directly.
(e) Verify Identities of CRN Members when inviting new users and granting permissions to Caredove.com. Caredove provides some tools to support this process, including an email verification process and other functionality.
An Organization Administrator’s identity can be verified by:
– other pre-existing Organization Administrators in that organization; – an affiliated Caredove Network Administrator;– the Caredove Super Administrator
(f) Oversee Account Information of their Organization’s Authorized Workforce on Caredove.com by monitoring and auditing Caredove user account integrity (e.g., change phone numbers, resetting passwords, changing permission levels, etc.).
(g) Monitor and Audit Account Activity of their Authorized Workforce using Caredove.com audit logs and monitoring access to their organization’s referral activity.
(h) Terminate Permissions Promptly in their Authorized Workforce when permissions with Caredove.com are no longer required (e.g., leave Workforce or change positions within the Workforce).
(j) Confirm the Presence of a Privacy Lead in the Organization who is the designated contact responsible for privacy issues. Duties of privacy leader (or privacy delegate) must include the development of privacy policies and procedures, monitoring privacy compliance, overseeing enforcement, developing and implementing privacy training programs, receiving and responding to privacy complaints and breaches.
(k) Configure Caredove.com Service Settings (e.g., retention policies, referral settings, calendar settings, etc.) in a manner that is aligned with the Organization’s policies & procedures.