A core value at OnCall Health is to provide private and secure service to all who choose to use our platform. OnCall Health supports access to mental health services, and strives to ensure all of the practitioners and patients who use our platform may access such services without worrying about agreeing to policies that are buried in complex language or jargon.
- Personal Information: Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form i.e. age, name, ID numbers, employee files, credit cards, and more.
- Personal Health Information: Personal Health Information is defined as identifying information about an individual, if the information relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family, is the individual’s health number, and more.
- Collected Information
- Protected Information
- Use of Information
- Breach Protocol
OnCall Health’s commitment to its platform’s users can be briefly outlined as such:
OnCall Health requires your express permission before using your information. Otherwise, we don’t.
From Healthcare Providers: Name, business, contact information, specialization.
From Patients: Name, email address, appointment date and time, “notes for patient” (added by the provider after the appointment), secure file attachments sent through the platform.
And that’s all.
There are 3 levels of protection for all information stored by OnCall Health:
- Physical Safeguards
- Technological Safeguards
- Administrative Measures
Let’s take a brief look at each of these sections to understand how OnCall Health protects information.
There are 5 main physical safeguards in place to keep information in OnCall Health’s custody safe.
- Access to information storage areas requires authorization
- Authorization access is protected by a code
- Nothing leaves the secure premises
- Backups for information are locked
- Information is not stored on paper
In compliance with relevant privacy requirements and legislation, all information is stored on local servers, i.e. a Canadian patient information is stored on servers in Canada, while data related to an American patient and provider is stored securely on American servers.
OnCall Health’s servers are operated by Amazon Web Services Secure Cloud (AWS). Effectively, AWS is a highly “secure and governed cloud storage platform”. AWS is certified as compliant with ISO Standard 27018 Code of Practice for PII protection in public clouds.
Wow. What does that mean? (Here is a longer, and better description of what this means.)
ISO (International Organization for Standardization) Standard 27018 Code of Practice is relevant to the protection of personally identifiable information (like personal health information) in the public cloud computing environment. This Standard is enforced by the ISO (a complete version of this standard can be found here ). Effectively, this means that any patient information stored on OnCall Health’s servers is secure, and backed by the ISO.
Okay, so the servers are secure. But, what about the video sessions themselves?
Secure video and text consultation are encrypted with the AES cipher using 256-bit keys. Video sessions are also NEVER recorded or stored anywhere.
More tech jargon! Yay!
The AES cipher is the Advanced Encryption Standard. Now, anyone who saw the Alan Turing biopic, The Imitation Game (2014), will remember that a cipher is a code which jumbles information, so no one can read it but the person with the tool to unscramble the code (called a key). This process is a type of encryption. The AES uses multiple layers of encryption to protect information stored on OnCall Health servers protecting information. The code to understand the cipher is never stored anywhere, and is always randomized. Through this process, OnCall Health is encrypted end-to-end, providing a high level of security for our clients.
Make sense? Good!
Once information is no longer necessary to provide service, all personal and personal health information is destroyed or anonymized. Only authorized personnel are able to access the information that is absolutely necessary to deliver the service.
All privacy matters are overseen by OnCall Health’s Chief Privacy & Security Officer (CPSO). The CPSO is responsible for a variety of safety and privacy initiatives including completing background checks on all employees, undertaking threat and risk assessments on a regular basis, receiving reports on and reporting on privacy compliance, granting access to OnCall Health data.
Privacy policies are continually updated and audited by a third party.
Use of Information:
OnCall Health does NOT…
Use any personal information or personal health information without express consent.
Sell any personal information or personal health information or make any information public in exchange for remuneration.
OnCall Health DOES…
Seek out user’s explicit consent prior to opting anyone in to receiving relevant information on products, services, or promotions.
OnCall Health has taken all reasonable measures to prevent breaches. Our response procedure is simple, keeping our users informed by notifying them at the first reasonable opportunity, and applying remedial measures immediately.
All users of the OnCall Health platform must consent to this policy prior to use.