Last updated March 10, 2022
• implementing procedures to protect Personal Information; and
• establishing procedures to receive and respond to complaints and inquiries; and
• training staff and communicating to staff information about our policies and practices; and
• developing information to explain our policies and procedures.
Basic Information refers to the information collected on the MedExtra Case Initiation Form and Employee Authorization, which includes Employee’s name, phone number, email address, home address, date of birth or age, provincial healthcare number, occupation and years of service within the Organization.
Case Information means information about an identifiable individual that relates to the physical or mental health of the individual or the provision of health care to the individual such as symptoms, diagnosis, medical history, test results, reports, treatment, record of allergies, prescriptions, Institutions involved with the Employee’s or Retail Individual’s case.
Care Manager means someone engaged by MedExtra to provide Care Management to Employees of a Client, and to Retail Individuals.
Client means an Organization that engages the services of MedExtra.
Client Care Advocate means someone engaged by MedExtra to provide nonclinical assistance to Clients, Employees of a Client and Retail Individuals.
Client Care Mandate means the individual form executed by the Retail Individual for the collection of Personal Information and discussions with Healthcare Providers, for the purpose of providing MedExtra services.
Collection means the act of gathering, acquiring, or obtaining Personal Information from any source, including third parties, by any means.
Consent means voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express Consent is given explicitly, either orally or in writing. Express Consent is unequivocal and does not require any inference on the part of the Organization seeking Consent. Implied Consent arises where Consent may reasonably be inferred from the action or inaction of the individual.
Disclosure means making Personal Information available to others outside the Organization.
Employee means the individual employees of a Client who have consented to the release of their Personal Information in accordance with this Policy.
Healthcare Provider means a professional in the field of medical care.
Information Release Form means the form signed by an Employee or Retail Individual authorizing the collection and review of Personal Information, and authorizing oral, written and electronic communication and information exchange between MedExtra and any health care practitioners or licensed physicians which have records or reports related to the current health of the Employee or Retail Individual, and any independent evaluators, service providers, agents and consultants working with MedExtra.
Institution means a facility at which Healthcare Providers provide medical care.
Organization means any association, business, government body, Institution, professional practice, union or other person or entity from which Personal Information is collected or to which Personal Information is disclosed.
Personal Information means information about an identifiable individual that is recorded in any form, including Basic Information and Case Information. Personal Information does not include information that is anonymized and/or aggregated so that it does not identify an individual and there is no reasonable basis on which to believe that the information can be used to identify an individual (“De-Identified Information”).
Retail Individual means a single person that engages the services of MedExtra.
Collection of Personal Information
MedExtra collects Personal Information concerning Employees and Retail Individuals, and their various healthcare issues from the Client, the Employee, the Retail Individual, or from Institutions or Healthcare Providers. MedExtra collects only the amount and the type of Personal Information which is necessary to fulfill the purposes identified below and specifies the type of information collected as part of its information-handling policies and practices.
The Personal Information that we collect concerning an Employee or a Retail Individual in order to provide our services may include, without limitation:
- Basic Information directly from the Client, Employee or Retail Individual concerned; and
- Case Information from the Employee or Retail Individual concerned, and from third parties, such as Healthcare Providers & Institutions currently or previously involved in the care of the Employee or Retail Individual.
We may also collect information about your visit to our website, which we treat as Personal Information when it is associated with your contact information. This includes, for instance:
- Website Usage Information. When you visit medextra.com, we may collect technical information, using electronic means such as cookies. Cookies are tiny files that are downloaded to your computer to improve your experience. These cookies are required for the website to function. You can set your browser to block or alert you about these cookies, but some parts of our website may not then work. This technical information may include information concerning your visit or usage of the website, such as the pages you visit, your clickstream on our pages or information you entered (for instance in text boxes on our website). We also collect technical information, including your Internet Protocol (IP) address, which browser you used to access medextra.com, your operating system, your screen resolution, your location, the language settings in your browsers, the website that you were previously on and your search keywords (if arriving from a search engine).
- Google Analytics: We use Google Analytics to collect information about visitor behaviour, such as information on user online activities including, but not limited to, page views, source and time spent on our website. This information is depersonalized and is only displayed as numbers, meaning that it cannot be tracked back to individuals. You may opt-out of our use of Google Analytics by visiting the Google Analytics opt-out page.
Purpose and Use of Personal Information
The purposes of our collecting Personal Information is described below as well as in MedExtra’s Client Care Mandate and Information Release Forms. When we collect Basic Information, we specify, by oral agreement, the purpose for the Collection of such information, and we train our staff involved in such Collection to adequately explain such purpose to the Client, Employee or Retail Individual.
We will use your Personal Information in a manner consistent with our mandate and in compliance with all applicable law.
We may use your Personal Information as authorized or required by law or to provide services related to the diagnosis, treatments, follow up of healthcare issues and/or medical matters, including absenteeism issues, accommodation requests, short- and long-term disability insurance to Clients, their applicable Employees and Retail Individuals. Such use may include:
- Second opinions on medical diagnoses (remote or in person);
- Care management – a service including healthcare assistance & navigation and limited access to a Care Manager for an Employee or Retail Individual to:
- Create a plan of action for the issue in question;
- Provide case specific medical information;
- Explain and answer questions relating to the issue in question;
- Provide liaison to treating physicians, consultants and authors of second opinions;
- Interpretation of consults, tests results and other reports;
- Assist in decision making; and
- Identify available resources;
- Virtual Medical Director – verify and validate the medical basis of absenteeism and accommodation requests.
Should these purposes change, MedExtra will specify these changes in the Client Care Mandate and the Information Release Form.
De-Identified Information may be used by MedExtra to develop data on health and care services. When possible, instead of using Personal Information, we will use De-Identified Information for the purposes mentioned above or any legal purpose.
Sharing of Personal Information
MedExtra is responsible for Personal Information in its possession or custody. As a result, we require, as a condition to providing Personal Information to any Organization, that such Personal Information not be transferred to any third party for processing, unless such third party has entered into an agreement with MedExtra with respect to the confidentiality and security of such Personal Information; and such Personal Information shall not be used for any purpose other than the purpose for which such Personal Information was collected.
MedExtra will not disclose Personal Information beyond the Client Care Mandate and the Information Release Form with respect to an Employee or Retail Individual to provide services, except with the express Consent of the Retail Individual and Employee concerned or as required or permitted by law.
MedExtra restricts access to Personal Information to its authorized employees and representatives with a “need to know” to perform their duties, as well as to Healthcare Providers, clinics, hospitals or other healthcare Institutions involved in the care of individuals.
More specifically, we may share an Employee’s or a Retail Individual’s Personal Information in the following circumstances:
- Other healthcare providers. We may share an Employee’s or a Retail Individual’s Personal Information with other healthcare providers or practitioners involved in his or her care, including, but not limited to, physicians, psychologists, specialists, pharmacists, lab technicians, nutritionists, physiotherapists, and occupational therapists.
- Service providers. We may hire service providers, which may be affiliates, to perform services on our behalf. We will provide them with only the amount of information necessary in order for them to provide the services required. They are prohibited from using the information for purposes other than facilitating and carrying out the services they have been engaged to provide. They are also prohibited from disclosing the information to others. We will strive to protect Personal Information disclosed to third parties by contractual agreements.
- As permitted or required by law. We will disclose Personal Information where such disclosure is required by law, such as, but not limited to, reporting infectious diseases pursuant to statutory obligation, reporting abuse to regulatory bodies or to law enforcement in certain circumstances, or complying with a subpoena or court order.
- Business transaction. We may disclose Personal Information to a third party in connection with a sale or transfer of business or assets, an amalgamation, re-organization or financing of parts of our business. However, in the event the transaction is completed, Personal Information will remain protected by applicable privacy laws. In the event the transaction is not completed, we will require the other party not to use or disclose such Personal Information in any manner whatsoever and to completely delete such information.
When possible, instead of using Personal Information, we will share De-Identified Information for the purposes mentioned above or any legal purpose.
MedExtra makes every reasonable effort to ensure that Retail Individuals and Employees are advised of the purposes for which their Personal Information will be used. Such purposes are stated in such a manner that a layperson can reasonably understand how the information will be used or disclosed.
MedExtra does not, as a condition of providing its services, require an Employee or a Retail individual to Consent to the Collection, use, or Disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
The form of the Consent sought by MedExtra may vary, depending upon the circumstances and the type of information. In determining the form of Consent to use, MedExtra considers the sensitivity of the information.
- Where MedExtra collects Basic Information; MedExtra considers that there is express Consent to the Collection, use and Disclosure of such Basic Information.
- Where MedExtra collects Case Information; MedExtra requires Employees and Retail individuals to provide express written Consent to the Collection, use or Disclosure of such Case Information, prior to its Collection, use or Disclosure.
- The written Consent may be of a form that permits MedExtra to collect Case Information from multiple sources identified by the Retail Individual or Employee in writing.
MedExtra also considers that the purposes for which Personal Information collected directly from a Client/Employee/Retail Individual or from a source other than the Client/Employee/Retail Individual concerned is used and disclosed are consistent with the purposes for which such information was originally collected, and are not in conflict with the reasonable expectations of the Employee/Client/Retail Individual.
The way in which MedExtra seeks Consent varies, depending on the circumstances and the type of information collected. Consent can also be given by an authorized representative of an Employee/Retail Individual (such as a legal guardian or a person having power of attorney). To the extent that an Employee/Retail Individual has a substitute decision maker, we may require that the authorized representative validate their authority to act on such Employee’s//Retail Individual’s behalf, including to provide Personal Information to a Healthcare Provider or to ask to see the Employee’s/Retail Individual’s records.
- Where MedExtra collects medical files from Healthcare Providers or Institutions, the “Information Release Form” is solicited for review, or to communicate with treating or prospective healthcare professionals, healthcare networks, clinics and hospitals.
Employees/Retail Individuals can give Consent in many ways. For example:
- An application form may be used to seek Consent, collect information, and inform the Employee/Retail Individual of the use that will be made of the information. By completing and signing the form, the Employee/Retail Individual is giving Consent to the Collection and the specified uses; or
- Consent may be given orally when information is collected from the Employee/Retail Individual over the telephone.
An Employee/Retail Individual can withdraw his or her Consent to the Collection, use and third-party Disclosure of his or her Personal Information by MedExtra, except where the Collection, use, or Disclosure is required by law, by contacting email@example.com. However, without such Consent, we may limit the services we are able to provide. We will inform the Employee/Retail Individual and Client of the consequences of such withdrawal, including if there are any significant consequences that might result with respect to the Employee’s/Retail Individual’s care and treatment. An Employee/Retail Individual or a Client can also opt out of receiving commercial electronic messages from MedExtra at any time by contacting firstname.lastname@example.org or by simply clicking the link labeled “unsubscribe” at the bottom of any commercial electronic communication we send you.
Accessing and Correcting your Personal Information
MedExtra uses its best efforts to ensure that Personal Information collected by it is accurate and complete and up to date. MedExtra will not however, as a matter of routine, update Client Case Information. MedExtra updates Case Information when relevant to the Client’s mandate concerning an Employee.
You have the right to access and correct your Personal Information in a timely manner.
MedExtra will, upon request by any Employee/Retail Individual or Client at any time (and evidence confirming the identity of the individual requesting the information), provide the Employee/Retail Individual with any identifiable Personal Information in MedExtra’s possession concerning such Employee/Retail Individual. MedExtra reserves the right to make sensitive medical information available through a Care Manager. The Care Manager’s time will be charged at the current hourly rate ($100/hour).
MedExtra will provide, as part of the information, either a list of the third parties to which it has disclosed the information or to which it may have disclosed the information, depending upon the needs of the Employee/Retail Individual or Client requesting the information.
MedExtra will respond to any request as promptly as possible, and in any event within 30 days. The only costs to respond to an Employee’s/Retail Individual’s or Client’s request would be for the time spent by the Care Manager, postage and any third-party costs for data retrieval authorized by the Employee/Retail Individual. The requested information will be provided or made available in an easily understandable form, together with any required explanation of abbreviations or codes.
If an Employee/Retail Individual successfully demonstrates the inaccuracy or incompleteness of his or her Personal Information, the information will be amended, immediately, by correcting or deleting information or adding information, as required. Where appropriate, MedExtra will promptly transmit the amended information to third parties to which MedExtra has previously provided the information in question.
Where a challenge concerning the accuracy or completeness of Personal Information is not resolved to the satisfaction of the Employee/Retail Individual, the substance of the unresolved dispute will be recorded by MedExtra. Where appropriate, the existence of the unresolved dispute will be promptly transmitted by MedExtra to third parties to whom MedExtra has previously provided the information in question.
In limited circumstances, and only in compliance with applicable law, you may be denied access to or correction of your records. If we refuse to correct your Personal Information, you can request that a note be made to reflect this on your file.
Personal information will be retained only as long as necessary for the fulfilment of the purposes for which it was collected and for which Consent was received, unless otherwise required by law. Personal Information that is no longer required to fulfil the identified purposes will be destroyed, erased or made anonymous. MedExtra has developed and implemented detailed retention principles and will ensure destruction of Personal Information in a method that prevents improper access. We also use contractual means to ensure that any Organization to which we disclose Personal Information is similarly obligated.
Safeguarding Personal Information
All Personal Information collected by MedExtra is kept in the format received and in computer format. MedExtra transmits Employee files by mail, facsimile, courier, or electronic transmission.
The methods of protection used by MedExtra include:
- Physical measures, such as a segregated computer system and restricted access to its premises and computer facilities;
- Organizational measures, such as internal audits, security clearances, restricted access to the Personal Information and penalties for any breach of such measures; and
- Technological measures, such as periodic testing of its computer security systems and confidential passwords.
In addition, employees and representatives of MedExtra which are granted access to Personal Information are made aware through regular, compulsory in-house seminars of the importance of maintaining the confidentiality of Personal Information and are required to enter into confidentiality agreements prior to installation to a position.
MedExtra cannot guarantee the confidentiality and the security of information transmitted by you over the Internet, or the time required to transmit such information. Accordingly, you acknowledge that MedExtra, its employees and its representatives shall not be held responsible for losses or damages of any nature which may arise directly or indirectly from a breach of the confidentiality of information transmitted over the Internet or a delay in the transmission of such information to MedExtra.
We operate on server infrastructure wholly located within Canada. Your Personal Information may be stored in a Canadian province other than your province of residence.
MedExtra wishes to be transparent and open about its policies and practices with respect to the management of Personal Information, and will provide to any Client or Employee/Retail Individual, upon request and prepayment, easily understandable information about its policies and practices.
More information can be obtained directly from MedExtra by mail; MedExtra, 457 Bord-du-Lac/Lakeshore, Dorval, QC, H9S 2A9 to the attention of Andréanne Martin, Privacy Officer; upon request by email (to email@example.com); by fax (514-526- 4521) or telephone (1-877-37-EXTRA).
If you have any questions about the application of this Policy to your Personal Information, or wish to make an inquiry or submit a complaint, you should contact our privacy officer at firstname.lastname@example.org. You also have the right to bring any matters to the attention of the Privacy Commissioner of your province or territory of residence, a list of which is available at: https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/provincial-and-territorial-privacy-laws-and-oversight/
MedExtra will, within a maximum of two weeks, inform individuals who make inquiries or lodge complaints, of the existence of the relevant complaint procedures.
MedExtra will promptly investigate all complaints. If a complaint is found to be justified through either the internal or external complaint review process, MedExtra will take prompt and appropriate measures, including if necessary, amending its policies and practices.