Privacy Policy Change Summary

Effective Date: February 27, 2026


This summary describes updates made to the Caredove Privacy Policy since the previous version dated May 8, 2024.


The updated policy reflects clarifications, additional detail, and structural refinements. No fundamental changes have been made to Caredove’s role as a Health Information Network Provider (HINP), its commitment to applicable privacy legislation, or the core privacy principles that structure the policy.


1. Clarification of Information Categories


The updated policy:

  • Provides clearer distinctions between:
  • Protected Health Information (PHI)
  • Personal Information (PI)
  • Professional Information associated with Caredove user accounts
  • Introduces a defined description of “Professional Information,” including user account details such as name, business contact information, job title, employer, profile photo, credentials, and user activity.
  • Clarifies how referral-related PI is treated within the Caredove platform.


2. Referral Data and Consent Language


The updated policy:

  • Expands the description of how referral purposes are identified.
  • Includes the standard click-through consent language presented during patient self-referrals.
  • Clarifies how consent revocation may be handled.
  • Separately addresses consent related to user account information.


3. Employee and Operational Access to PHI


The updated policy:

  • Provides additional detail regarding circumstances under which limited Caredove personnel access to PHI may occur.
  • Describes authorization, logging, and audit visibility related to such access.
  • Clarifies that PHI is not present in sandbox, testing, or development environments.


4. Retention and Deletion Practices


The updated policy:

  • Clarifies retention processes for referral data, including soft deletion and permanent deletion timelines.
  • Clarifies the 120-day recovery period following deletion.
  • Describes retention practices for Professional Information and referral metadata in order to support audit and reporting functionality.


5. Third-Party Service Providers


The updated policy:

  • Clarifies the circumstances under which third-party service providers may access PHI.
  • Clarifies that access occurs under the authority of the applicable Health Information Custodian (HIC) and in accordance with applicable laws.


6. Individual Access Requests


The updated policy:

  • Separates handling of PHI access requests (managed by the relevant HIC) from access to Professional Information (managed within user accounts).
  • Clarifies the process and timelines for responding to applicable access requests.


7. Structural and Terminology Updates


The updated policy includes:

  • Terminology refinements for consistency.
  • Reorganization of certain sections for clarity.
  • Additional descriptive detail regarding safeguards, governance, and privacy program oversight.


No Fundamental Changes


There have been no material changes to:

  • Caredove’s role as a Health Information Network Provider (HINP)
  • The structure of the Privacy Policy based on the 10 privacy principles
  • Complaint handling procedures
  • Core safeguard practices
  • Compliance commitments under PHIPA, HIPAA, and related legislation