Privacy Policy

Date of Last Revision: Feb 27, 2026 - View History


1. Purpose


Caredove respects the privacy concerns of all users of The Platform, and is committed to protecting the Protected Health Information (PHI) / Personal Information (PI) of all referral data and Professional Information of its users with accounts. The purpose of this policy is to establish all the mandatory requirements and responsibilities for the protection of such information.


2. Scope


This policy applies to all Caredove personnel and third party service providers whom it has retained to support the delivery of our services. This privacy policy should be read in conjunction with the subordinate policies, standards and procedures that are part of our comprehensive Privacy & Security Program. The policy is relevant to all Caredove customers.


3. Terms


“Protected Health Information (PHI)” means information such as:

  • Physical or mental health of the individual
  • The individual’s family health history
  • Eligibility for health care
  • The individual’s giving of a body part or bodily substance
  • Reason for receiving health care
  • Alternate decision maker
  • Health Card Number (e.g., OHIP card)
  • Any identifying information that is not protected health information but that is contained in a record of protected health information
  • Clinical information about the individual being referred for service.


In Caredove, “PHI” is any patient related information contained in a health referral.


“Personal Information (PI)” means identifiable information about an individual such as:

  • Personal address, telephone number or email address
  • Any identifying number assigned to an individual (e.g. Social Insurance Number, Social Security Number)
  • Payment history
  • Information relating to age, sex, disability, race, citizenship status, marital status, religion, etc.
  • Information relating to education, employment, etc.


This information is PI only if it is not associated with any health information, in which case it is also considered to be PHI. Very simple referrals may contain only “PI”. “PI” may also be found in a limited manner related to user accounts or in business processes outside of the Caredove application. In the Caredove application, “PI” data in referrals is treated the same as “PHI”.


Professional information” refers to data related to an individual’s employment, business, or professional activities, used in a Caredove user account, including:

  • Name
  • Business contact information (email, phone)
  • Job title, employer
  • Profile photo
  • Caredove user credentials
  • User activity in Caredove


Professional information is also associated with referrals to identify who is sending, receiving or otherwise managing and observing a referral.


Clarification of Terms for Our Canadian Customers:


Health Information Network Provider (HINP): An entity that provides services to two or more Health Information Custodians (HIC) where the services are provided primarily to enable the custodians to use electronic means to disclose Protected Health Information (PHI) to one another. Caredove is a HINP. As a HINP, Caredove may have PHI within its systems while providing service; however the HIC remains fully accountable to the patient for the privacy practices associated with the PHI.


Health Information Custodian (HIC): A person or organization that delivers health or community care services. Physicians, hospitals, pharmacies, laboratories, community care access centres and community support agencies are examples of HICs. A HIC has custody or control of PHI as a result of the work it does. The HIC has the right to deal with the PHI and create records, as well as the responsibility to maintain the confidentiality and security of the PHI. Caredove is not a HIC, but rather helps HICs. For example, Caredove provides HICs a more secure means of sharing information than traditional faxing methods.


Agent:  Someone acting for or on behalf of the HIC in respect of collecting, using or disclosing PHI, for the purposes of the HIC, and not the agent’s own purposes. For example, a HIC may designate Caredove as its agent to correct a specific record in Caredove. Caredove does not make any independent decisions with respect to handling PHI when acting as an agent, but acts only in accordance with the terms of its agreement with a HIC and in compliance with Canadian laws and regulations in this regard.


Clarification of Terms for our United States Customers:


Caredove has adopted this Official Privacy Policy in order to declare its voluntary   commitment to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009 (Title XIII of division A and Title IV of division B of the American Recovery and Reinvestment Act “ARRA”) and the HIPAA Omnibus Final Rule.

Although Caredove does not meet the definition of a HIPAA Business Associate or Covered Entity as these are defined in the HIPAA Regulations, Caredove hereby acknowledges its obligation to protect the privacy and security of Individually Identifiable Health Information (“IIHI”) generally, and Protected Health Information (“PHI”) as defined in the HIPAA Regulations, voluntarily under the regulations implementing HIPAA, lawfully under other federal and state laws protecting the confidentiality of PHI/PI, and under principles of general and professional ethics.


Caredove & HIPAA


4. Privacy Policy


This Privacy Policy has been organized around the 10 principles contained in the Model Code for Protection of Personal Information  (“CAN/CSA – Q830-96, Model Code for the Protection of Personal Information,” March 1996.).

Principle 1: Accountability


The “principle of accountability” means that an organization is responsible for the Protected Health Information (PHI) and Personal Information (PI) and under its control and has designated an individual or individuals who are accountable for the organization’s compliance with privacy principles. When confidential PHI/PI information is not in our custody, Caredove Inc  supports our customers and their privacy programs.


The Privacy & Security Program is overseen by the designated Chief Privacy Officer (CPO) who reports directly to Caredove Chief Executive Officer (CEO), and is the person primarily responsible for Caredove’s administering the Privacy & Security Program. The CPO is responsible for compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce, extended workforce, and for all business associates, in cooperation with legal counsel as applicable. Additionally, other Caredove personnel may be responsible for the day-to-day oversight of the program, acting on behalf of the CPO from time to time. 


The CPO will:

  • Work with technical personnel to protect PHI/PI information from unauthorized use
  • Administer all complaints
  • Cooperate with officials in governmental organizations (e.g., HHS or Office of the Privacy Commissioner. )
  • Develop specific policies as required by relevant jurisdictions (e.g., US, Canada)
  • Review all contracts under which access to PHI/PI data is given to outside entities, bring those contracts into compliance with relevant laws, and ensure that PHI/PI data is adequately protected when such access is granted
  • Disseminate any notices of privacy breaches as required by law
  • Remain up to date with relevant laws, rules, regulation and new technologies to protect data privacy
  • Determine the optimal method for consent when PHI/PI is being transmitted between parties on the Caredove platform
  • Oversee employee training with regard to our privacy and security regime.


Caredove Inc is committed to respecting personal privacy, safeguarding PHI/PI information, and ensuring the security of information when it is in our custody. 


Caredove meets this commitment through our comprehensive Privacy & Security Program. Key components of this Program include:

  • A suite of privacy policies and procedures
  • Information, retention and disposal protocols
  • Employee training and privacy awareness
  • Internal and third party privacy and threat risk assessments
  • Agreements, both with individuals and entities that provide service to Caredove and entities to which Caredove provides service
  • Privacy incident and breach management protocols
  • PHI/PI lifecycle management describing procedures for retention and destruction of information
  • An inventory of all individuals with access to PHI/PI information
  • A role-based access controls within Caredove that limits access to PHI/PI
  • Public accountability and transparency by making this policy freely available, and demonstrating compliance with relevant legislation, including Protected Health Information Protection Act, 2004 ("PHIPA"), and HIPAA.


Principle 2: Identifying Purposes


The “principle of identifying purposes” means that the purposes for which PHI/PI are collected shall be identified by the organization at or before the time the information is collected.


All referral forms submitted through Caredove shall clearly state the purpose of the referral before it is submitted, through a consent statement. The purpose stated in the standard Caredove consent statement for sending information is to request access to an identified service.  (See “Principle 3: Consent” for more details on the consent statement).


Protected Health Information (PHI) and Personal Information (PI) is stored in Caredove while providing an electronic service that allows HICs to streamline patient referrals, which is entered into Caredove by a Health Information Custodian (HIC), a patient or their representative. Such information is stored for one or more of the following purposes:

  • Sending and tracking patient referral information.
  • Receiving and processing patient referral information.
  • Presenting referral information to patients and their representatives


Professional Information for Caredove users with Caredove accounts, with the intention of helping users find and connect with health care and community care services, or administering that process. This information about users may be used for one or more of the following purposes:

  • Providing user information to other Caredove users about who is referring to services, and who is providing services.
  • Providing referrers and providers information about who has acted on a referral
  • Sharing available appointment times of users wishing to let others book such times.
  • Contacting users regarding requests for access to, or correction of, PHI/PI.
  • Contacting users to provide support.
  • Issuing a password for the password protected sections of this site.
  • Promoting the existence of new or revised services to users.
  • Promoting the use of Caredove.
  • Reporting statistics on aggregate numbers on usage to funders, sponsors, users, or others in order to further the intent of Caredove, and to help evaluate the effectiveness of Caredove.
  • Contacting users for feedback and surveying needs regarding Caredove.
  • Providing business consulting services such as process improvement & program evaluation


Principle 3: Consent


The “principle of consent” means that the knowledge and consent of the individual are required for the collection, use or disclosure of PHI/PI, except when inappropriate. 


Acquiring referral consent is the obligation of the person collecting the PHI and using Caredove to make the referral. Caredove assists referrers to record the acquisition of consent. The HIC is responsible for providing notice to their patients regarding consent and their purpose for collecting PHI, which may be beyond the purposes of Caredove Inc. 


On any occasion where a patient self-refers through Caredove, the patient will be presented with relevant identifying purposes and asked to provide consent via a standard consent click-through agreement and/or additional consent statements defined by the receiving organization. The standard consent click-through agreement is as follows: 


“By submitting this form, I agree to send this personal information to {{organization name goes here}}, for the purpose of requesting {{service name goes here}}. I have the consent/authorization to send the information about any other people that may be included on this form (e.g., a client, parent, child).

I agree to these Terms and Conditions and Privacy Policy, which outline how this personal information is kept safe.”


If the patient wishes to revoke consent, they may contact the requester who made the referral or the service provider, who can then revoke the authorization and clear the PHI data in Caredove. Depending on the processing that has been done by the requester or provider, further follow-up may be required in other systems, which is the responsibility of the users of those systems.


For Caredove users who are configuring their accounts and inputting their Professional Information, they agree to this privacy policy which describes how that information is used.


Principle 4: Limiting Collection


The principle of “limiting collection” means that the collection of PHI/PI shall be limited to that which is necessary for the purposes identified by the organization. 


PHI/PI shall be collected by fair and lawful means. 


For referral data (PHI), it is the responsibility of the agency receiving a referral to define what PHI can be collected on their request form, and that it meets the limiting collection criteria. 


For Caredove user account data (“Professional Information”), Caredove limits collection only to the information required to achieve the purposes identified in “Principle 2: Identifying Purposes”, unless we receive consent from the individual or agency to collect for another purpose. 


Principle 5: Limiting Use, Disclosure and Retention


The “principle of limiting use, disclosure and retention” means PHI/PI shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.


Use and Disclosure


A referral sender (at a HIC or a Patient or their representative) selects the destination to send (disclose) a referral containing PHI. The referral receiver (a HIC and licensee of Caredove), or their agent, is responsible for inviting, deleting or otherwise managing users who will be authorized to access PHI in the received referrals. Credentialing of these users is the responsibility of the Caredove licensee or their agent. 


PHI is only to be used according to the purposes outlined in Principle 2: Identifying Purposes.


An audit log of referral activity and PHI access is readily accessible at any time for relevant users through Caredove. In order to maintain integrity of the audit log, and for security purposes, Caredove users are not permitted to share access credentials


It is the policy of Caredove  Inc that all patient-related uses and disclosures of PHI shall be the responsibility of the HIC and the healthcare entities that may employ them. See section “Caredove Inc Employees” for additional exceptional purposes.


PHI is not present in Caredove sandbox, testing, or development environments. Caredove users must not add PHI in these environments. 


Professional Information related to user accounts may be included in these alternate environments, which allows Caredove users (and employees) to perform training and testing with their own user accounts that do not affect the PHI and related data in their production environments.


Retention


PHI is retained in Caredove for only as long as necessary for the fulfillment of purposes in Principle 2: Identifying Purposes.


HICs receiving the referral determine the retention policy for the information that they are the custodian for within Caredove. Caredove applies that policy to their information by (soft) deleting the data from the platform at which point it is unavailable to any user. Data can be recovered up until 120 days after the data was initially (soft) deleted, after which time the data is permanently deleted. Permanently deleted data can not be recovered for Caredove users. Data recovery requests can be made to Caredove Inc support.


Unlike PHI, Professional information and other meta data related to referrals is not deleted in Caredove. This data is maintained in Caredove over time to support reporting features and maintain auditability of referral activity even after the PHI has been removed. This data may be removed at the determination of Caredove Inc in a manner that is in compliance with relevant privacy legislation. 


Caredove Inc Employees


Caredove Inc and its employees do not have purposes to ‘use’ (or ‘disclose’) PHI in its standard operations. Under normal circumstances, Caredove Inc employee user accounts do not have access to PHI. There are exceptional circumstances in which a limited number of Caredove Inc personnel may be granted time-limited access to PHI:

  • Incidental access to PHI while supporting HICs for the purposes of providing services including issue troubleshooting, investigating incident/breaches investigation, user onboarding/training/support, data maintenance.
  • “Break Glass” scenarios where a Caredove user may need urgent and important help accessing PHI in Caredove, but does not have access to Caredove (e.g., due to connectivity issues). 


The above purposes will only involve access to PHI after all other methods of addressing the purpose have been exhausted, and an access request has been submitted to and approved by the Caredove Chief Privacy Officer (or designated agent). The CPO will ensure that the access request is warranted, logged, the relevant HIC(s) has approved or has sufficient awareness of the access as appropriate, and proper procedures are followed to maintain the integrity and confidentiality of the PHI.


All access to PHI by Caredove Inc employees is visible and auditable to Caredove users in the referral and user activity history within Caredove.


See “Principle 1: Accountability” for other components of the privacy program that Caredove Inc maintains with its own employees to ensure privacy of data.


Third Party Service Providers


Third Party Service Providers may only access PHI in Caredove on the authority of the HIC managing the data, in accordance with this privacy policy and all applicable laws. Caredove inc does not provide PHI access to Third Party Service Providers, but may support HICs to do so at their request and with the appropriate consent. 


Cookies


The Cookie Policy explains how Caredove Inc and its affiliates use cookies to recognize you when you use our Services. It explains what these technologies are and why we use them, as well as your rights to control our use of them.


Browser Information


Caredove collects browser information for performance and usage analytics. For both anonymous visitors and known visitors to our website, information is collected such as the server the computer is logged onto, the domain name of the internet service provider, browser type and version (for example, Firefox or Internet Explorer) and IP address. Caredove may also derive the general geographic area associated with an IP address. 


This data is used to support security measures for technical safeguards, security measures related to user authorization, and to support general performance and troubleshooting.


3rd Party Web Services


Caredove makes use of some 3rd party web services to support its functionality (e.g., mapping, translation, email, customer support, faxing and analytics services services), to which some information may be transferred. Caredove only uses these 

3rd party services in ways that are consistent with the Caredove Privacy & Security Program.


Principle 6: Accuracy


The principle of "accuracy" means that PI and PHI shall be as accurate, complete and up to date as is necessary for the purposes for which it is to be used. The accuracy of information is the responsibility of the HIC who collects it. Any corrections or changes to information must be completed only by the HIC who has custody of the information. 


Caredove provides methods to support the accurate entry of information, such as input validation controls. Caredove also maintains mechanisms to protect the security and integrity of information (See Principle 7 Safeguards). Patients have the right to request that their service provider (HIC) correct information that may have been shared in a referral sent through Caredove.


Principle 7: Safeguards


The principle of "safeguards" means that PI and PHI shall be protected by security safeguards appropriate to the sensitivity of the information. Caredove Inc protects PI and PHI under with safeguards that are appropriate to the sensitivity of the information. These safeguards are designed to protect information in all formats against loss or theft, as well as against unauthorized access, disclosure, copying, use or modification. Security Safeguards are put in place by Caredove Inc to protect PI and PHI and include administrative, technical and physical safeguards appropriate to the sensitivity of information. This includes:

  • Threat risk assessments
  • Audit logging
  • Monitoring
  • Login reports
  • Secure destruction of records


A Privacy Impact Assessment (PIA) is completed for Caredove to ensure all privacy risk issues are identified. Caredove Inc creates plans to address the findings of PIAs. A summary of this assessment is available. This assessment is updated periodically and remedial action taken, as necessary.


A detailed security safeguard description is found in the Data Security policy, which discusses practices such as use of complex passwords, firewalls, encryption of data, continuous vulnerability assessments, Privacy Incident & Breach Management, and access based on least privilege.


Principle 8: Openness


The principle of "openness" means that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of PI and PHI. Caredove Inc makes available plain language descriptions of its approach to privacy and security. Caredove Inc posts its privacy program overview on its website. Additional information about Caredove Inc's privacy-related policies and procedures is available upon request.


Principle 9: Individual Access


Regarding Protected Health Information (PHI)


Handling individual access requests for PHI/PI is the responsibility of the HIC managing the related data in Caredove. 


All requests for PHI/PI that are received from patients, their agents, or other sources shall be referred to the related HIC to respond promptly and appropriately. Caredove Inc staff shall make clear that Caredove Inc cannot respond to requests involving fulfillment of patient rights to information. Marketing materials and Caredove platform functions shall be designed to direct such requests to the appropriate HIC so they can respond appropriately.


Regarding Professional Information


Caredove users with accounts may access and update all of their Professional Information in Caredove at any time by logging into Caredove and viewing their Caredove user account details page, and their activity history page. If Caredove Inc is presented with any appropriate individual access request to this data where the user is unable to access this information directly, Caredove Inc will respond and facilitate their access request within a reasonable time under 30 days of receipt of the request. We will provide written notice of any response period extension within 30 days of your request. We will respond to a request for access at minimal or no cost. If a person demonstrates to our satisfaction that Professional Information that is held or controlled in Caredove is inaccurate or incomplete, we will make appropriate amendments. Caredove Inc cannot support requests to remove Professional Information from Caredove, see section “Retention” for details. 


Principle 10: Challenging Compliance


It is the Policy of Caredove to respond in a timely and positive manner to all complaints submitted by any persons or parties, including patients, workforce members and any other person or party.


If a person wishes to enquire or complain about our privacy practices or our compliance with our Privacy Policy, the complaint may be lodged by calling Caredove Inc at (416) 655-7997 or toll free in North America at 1-833-567-3683 or in writing to the address below. The Chief Privacy Officer (CPO) will investigate and respond to all complaints within 30 days. If a complaint is justified, we will take all reasonable steps to amend our relevant privacy-related policy or procedure.  In no case shall more than 60 days lapse from the time a complaint is submitted to the resolution of the complaint. The final complaint shall be documented and retained according to Caredove Inc’s Documentation Policy.


In addition to a written response, complaints that are found to have merit will be resolved with some remediation that is appropriate given the severity of the situation. Such remediations may include:

  • A written apology
  • Financial compensation, if determined by our legal counsel or senior management to be appropriate
  • Sanctions against workforce members


Complaints submitted by government will receive full cooperation. No personnel or agent, or contractor of Caredove Inc shall impede an investigation into a complaint.


NOTE: Caredove Inc reserves the right to modify or supplement this Privacy Policy. The terms of the revised Privacy Policy will only apply to PHI/PI collected subsequent to its effective date.


Caredove Chief Privacy Officer (CPO)
Tim Berezny, Caredove Inc.
PO Box 2307, Orillia, Ontario L3V 6S2