Privacy Policy for All Clients


Welcome to Margarita Rabinovich, RP & Associates. This document outlines Margarita Rabinovich, RP & Associates’s privacy practices and policies, and provides information about confidentiality and laws related to the collection, use and disclosure of your personal health information while engaged in services through our organization.

Who We Are:

Margarita Rabinovich, RP & Associates is composed of a group of social workers, registered psychotherapists, accounting and marketing contractors. We are a group of mental health care professionals. We also work with consultants or agencies that may, in the course of their duties, have limited access to personal health information in our possession.

What is Personal Health Information?

Personal health information is data that can be used to identify a person and details of their healthcare. This may include contact information (e.g., name, address, telephone number, e-mail address), personal characteristics (e.g., age, gender, cultural/ethnic background), and health details (e.g., presenting issues, health history, medical/mental health conditions, treatments being received).

Margarita Rabinovich, RP & Associates, and the social workers and psychotherapists who provide Client Services (the “Therapist(s)”) are committed to protecting the privacy and confidentiality of the personal health information they hold on behalf of clients. In this Privacy Policy, “you”, “your” and “client” or “clients” refers to the users of Margarita Rabinovich, RP & Associates’s services, as defined in our Terms of Use, and for clarity, includes a user’s substitute-decision maker as defined in the Personal Health Information Protection Act, 2004 (“PHIPA”).

Each Therapist who provides care to clients registered through Margarita Rabinovich, RP & Associates is a health information custodian (“Health Information Custodian”) under Ontario’s health privacy legislation, the PHIPA. In this Policy, “we” and “our” refers to the Therapists, and Margarita Rabinovich, RP & Associates acting as their agent.

To that end, in order to fulfill their privacy obligations as Health Information Custodians, the Therapists and Margarita Rabinovich, RP & Associates have entered into a legal agreement to make Margarita Rabinovich, RP & Associates an agent of the Therapists under PHIPA. As an agent of the Therapists, Margarita Rabinovich, RP & Associates has a variety of roles, including acting as privacy officer for each of the Therapists, and for running the overall privacy program on their behalf.

Margarita Rabinovich, RP & Associates is also a custodian of personal information and subject to the Protection of Personal Information and Electronic Documents Act in respect of personal information that it collects from Clients that does not relate to Client Services, and which information it uses for the purposes identified below.

Your information may be released without your consent in the following situations:

Harm to Self / Others

If there is reason to believe that you are in danger of harming yourself or others in ways that may be life-threatening, Margarita Rabinovich, RP & Associates is ethically obliged to take action to ensure your safety and/or the safety of others. These steps may include contacting your identified emergency contact person, a family member or close other, seeking hospitalization, contacting the police, notifying others at risk, or some combination of these actions to ensure you and/or others are protected.

Abuse / Neglect

If there are reasonable grounds to suspect that a child under 16 years of age is, or may be, in need of protection, Margarita Rabinovich, RP & Associates must, by law, report this information to a children’s aid society. Examples of reportable situations include physical harm/abuse, sexual abuse, emotional harm (e.g., verbal abuse, humiliation, witnessing violence), or a pattern of neglect or failure to protect a child from harm. Additionally, if there are reasonable grounds to suspect that a resident of a nursing, retirement or other long-term care home has suffered harm, or is at risk of harm due to improper or incompetent treatment or care, unlawful conduct, abuse or neglect, or possible misuse or misappropriation of the resident’s money or funding, Margarita Rabinovich, RP & Associates is required to report this information to the Registrar of the Retirement Homes Regulatory Authority, or long-term care home director.

Sexual Abuse by a Regulated Health Professional

If there are reasonable grounds to believe that another regulated health professional has sexually harassed or abused a client, Margarita Rabinovich, RP & Associates must, by law, report this health professional’s name and information related to the sexual abuse to the appropriate regulatory body.

Court Order

Our records can be subpoenaed by a court order and Margarita Rabinovich, RP & Associates may be required to testify and give information obtained during the course of any assessment and treatment sessions. This information would never be provided voluntarily without your direct request or permission without the court order.It is important to note that as registered healthcare professionals, we may also be required to make our files available for audit by our regulatory body (e.g., College of Psychotherapists of Ontario), third-party payer agencies (if applicable, e.g., Financial Services Commission of Ontario) or by the government. These audits are confidential, and a record of the audit will be inserted into your client file.

Missing Persons

If the police present a Court Order, Search Warrant or Urgent Demand for records related to a missing person, Margarita Rabinovich, RP & Associates is required to provide the information and/or records sought by police in order to assist with locating that missing person.

Principle 1 – Accountability for Personal Health Information.

As Health Information Custodians, Therapists are responsible for the personal health information they hold on behalf of clients to whom they provide Client Services. As an agent to the Therapists, Margarita Rabinovich, RP & Associates helps facilitate privacy compliance (both with PHIPA and this Privacy Policy) and as Privacy Officer for each Therapist:

Privacy Officer

margarita@mindfulnesstherapyservices.ca

Margarita Rabinovich, RP & Associates, on behalf of the Therapists, has also contracted with a third-party vendor, Jane Software Inc. (the “Jane App”), as an electronic medical record (“EMR”) and virtual care platform service provider to support the Therapists and house client information. To be clear, the Jane App is an agent and electronic services provider to each Therapist and each Therapist has appointed Margarita Rabinovich, RP & Associates as its PHIPA agent. For more information on the Jane App’s privacy practices, please see the Jane App’s Privacy Policy.

Margarita Rabinovich, RP & Associates assumes a central role in privacy training for Therapists and their agents in relation to the work done through Margarita Rabinovich, RP & Associates.

Principle 2 – Identifying Purposes for Collecting Personal Health Information.

Therapists, and Margarita Rabinovich, RP & Associates at the direction of Therapists as their agent, collect personal health information from clients for purposes related to direct care, administration and management of programs and services, keeping in touch with you, billing, administration and management of the health care system, research, teaching, statistical reporting, and fundraising, marketing, meeting legal obligations and as otherwise permitted or required by law.

In particular, personal information and personal health information may be collected for the following purposes and using the following services:

  1. Attributing incoming phone calls to the proper marketing channels (tracking marketing initiatives)
  2. Routing incoming calls to allow when therapists are unavailable
    1. Call Tracking Metrics: Personal Data: phone number, caller ID/display name, device information, various types of other Data as specified in the privacy policy of the service.

Routing incoming calls to allow for a reception team when receptionists/therapists are unavailable

When personal health information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless the new purpose is permitted or required by law, consent will be required before the information can be used for that purpose.

Principle 3 – Consent for the Collection, Use and Disclosure of Personal Health Information.

Under PHIPA, Health Information Custodians require consent in order to collect, use, or disclose personal health information. However, there are some cases where we may collect, use or disclose personal health information without consent, as permitted or required by law. Similarly, custodians under PIPEDA require consent to collect, use or disclose your personal information, that is, information that can be used, alone or in combination with other information, to identify you.

Express consent

Should a client wish his/her lawyer, insurance company, family, employer, landlord or other third party individuals or agencies (non-health care providers) to have access to his/her health record, the client must provide verbal or written consent to this effect. Access and correction requests are discussed further below.

Implied consent (Disclosures to other health care providers for health care purposes)

Client information may also be released to a client’s other health care providers for health care purposes (within the “circle of care”) without the express written or verbal consent of the client as long as it is reasonable in the circumstances to believe that the client wants the information shared with the other health care providers. No client information will be released to other health care providers if a client has stated he/she does not want the information shared (for instance, by way of the placement of a “lockbox” on his/her health records).

A client’s request for treatment constitutes implied consent to use and disclose his/her personal health information for health care purposes, unless the client expressly instructs otherwise.

No Consent

There are certain activities for which consent is not required to use or disclose personal health information. These activities are permitted or required by law. For example, we do not need consent from clients to (this is not an exhaustive list):

  • Plan, administer and manage our internal operations, programs and services
  • Get paid
  • Engage in quality improvement, error management, and risk management activities
  • Participate in the analysis, administration and management of our services and the health care system
  • Engage in research (subject to certain rules)
  • Teach, train and educate members of our team and others
  • Compile statistics for internal or mandatory external reporting
  • Respond to legal proceedings
  • Comply with mandatory reporting obligations
  • If anyone under our employ have questions about using and disclosing personal health information without consent, they can ask the Privacy Officer.

Withholding or Withdrawal of Consent

If consent is sought, a client may choose not to give consent (“withholding consent”). If consent is given, a client may withdraw consent at any time, but the withdrawal cannot be retroactive. The withdrawal may also be subject to legal or contractual restrictions and reasonable notice.

Lockbox

PHIPA gives clients the opportunity to restrict access to any personal health information or their entire health record by their health care providers or by external health care providers. Although the term “lockbox” is not found in PHIPA, lockbox is commonly used to refer to a client’s ability to withdraw or withhold consent for the use or disclosure of their personal health information, but only for health care purposes. A lockbox does not affect the other uses and disclosures under PHIPA that are permitted or required, without consent, including the authority for a Health Information Custodian to disclose personal health information to reduce or eliminate a significant risk of serious bodily harm.

If a Therapist no longer provides client services through Margarita Rabinovich, RP & Associates, his/her/their clients will be notified and will have a choice of whether and where to transfer their health records in accordance with the rules/guidelines set forth by the applicable health regulatory college.

Principle 4 – Limiting Collection of Personal Health Information.

The amount and type of personal health information collected by the Therapists through Margarita Rabinovich, RP & Associates (or by Margarita Rabinovich, RP & Associates to use their Services) is limited to that which is necessary to fulfill the purposes identified. Information is collected directly from the client, unless PHIPA or another law permits or requires collection from third parties. Personal health information is only collected as needed to fulfill the health care role of individual staff.

Principle 5 – Limiting Use, Disclosure and Retention of Personal Health Information Use.

Personal health information is not used for purposes other than those for which it was collected, except with the consent of the client or as permitted or required by law. The Therapists (and their agents who assist in providing health care) use the information within the limits of their individual roles. They do not read, look at, receive or otherwise use personal health information unless they have a legitimate “need to know” as part of their role. If the agent is uncertain, the Privacy Officer will assist.

Disclosure

Personal health information is not disclosed for purposes other than those for which it was collected, except with the consent of the client or as permitted or required by law.
Personal health information may only be disclosed within the limits of each agent’s role, including agents of agents, such as the Jane App, which are agents of Margarita Rabinovich, RP & Associates, an agent of each Therapist.

Retention

Health records are retained as required by law and professional regulations and to fulfill the purposes for which personal health information is collected.

For example, the standards of health regulatory Colleges and associations apply; e.g. the College of Registered Psychotherapists of Ontario (CRPO) advises their members to retain appointment records for at least 5 years, and financial records for at least 5 years from the last interaction with the client or until the client’s 18th birthday, whichever is later.  Record retention periods may differ across Canada; our Therapists retain their records in accordance with applicable law. There may be reasons to keep records for longer than this minimum period.

Personal health information that is no longer required to be retained by law, or to fulfill the identified purposes is securely destroyed, erased, or made anonymous.

Principle 6 – Accuracy of Personal Health Information.

We will take reasonable steps to ensure that information we hold is as accurate, complete, and up to date as is necessary to minimize the possibility that inappropriate information may be used to make a decision about a client.

Principle 7 – Safeguards for Personal Health Information.

We have put in place safeguards for the personal health information we hold, which include:

  • Physical safeguards;
  • Organizational safeguards (such as permitting access to personal health information by staff on a “need-to-know” basis only); and
  • Technological safeguards (such as the use of passwords, encryption, and audits)

We take steps to ensure that the personal health information we hold is protected against theft, loss and unauthorized use or disclosure.
We require anyone who collects, uses or discloses personal health information on our behalf to be aware of the importance of maintaining the confidentiality of personal health information. This is done through the signing of confidentiality agreements, privacy training, and contractual means.

For the safeguarding of personal health information during the provision of virtual care, or communication via  with users via e-mail, we take additional steps as follows:

  • use only visual conferencing software and e-mail provided by Jane, unless you consent to communicating with us via other e-mail, such as Google Workspace (HIPPA complaint);
  • use firewalls and protections against software threats;
  • regularly update our Website with the latest security and anti-virus software
;
  • monitor and review logs to the extent we can obtain them;
  • review and set default settings to the most privacy protective;
  • verify and authenticate a client’s identity before engaging in an email exchange
;
  • obtain client consent to communicate personal health information via electronic means;
  • send a test message to confirm receipt by intended recipient
;
  • keep all technology containing personal health information in a secure location;
  • keep portable devices containing personal health information in a secure location, such as a locked drawer or cabinet, when they are unattended
;
  • use passwords, lock screens and physical barriers to keep personal health information secure;
  • prohibit sharing of passwords
;
  • ensure there are no unauthorized persons attending or within hearing or viewing distance during the provision of Client Services by videoconference;
  • restrict access to servers to only authorized individuals and keep such locations locked when unattended
;
  • your videoconferences are not recorded;

If you agree to the E-mail and Videoconference Policy we may use e-mail, in addition to videoconferencing, to communicate your personal health information. If we do this we will:

  • verify your identity
;
  • correctly address e-mails, double-checking to avoid misdirection
;
  • send test messages in advance and seek confirmation of receipt by the intended recipient
;
  • provide a confidentiality notice in the email with instructions to follow if the email is received in error
;
  • communicate via Jane only and not through personal accounts or devices, unless you have directed us and consented otherwise
;
  • confirm the accuracy of your email address and telephone number
;
  • acknowledge receipt of e-mails on a reasonably prompt basis
;
  • minimize or avoid disclosing personal health information in subject lines and message content as much as possible
;
  • ensure strong access controls such as password protection and encryption
-avoid the transmission of personal health information if the client declines to consent or encryption is not available;
  • update software regularly;

Care is used in the secure disposal or destruction of personal health information, to prevent unauthorized parties from gaining access to the information.

Privacy breach protocols are in place in case of theft, loss or unauthorized access to client personal health information.  If Margarita Rabinovich, RP & Associates or a Therapist becomes aware of a breach, they will work collaboratively to minimize the effects of the breach and prevent further breaches using the following process:

  1. Notification of unauthorized access by Margarita Rabinovich, RP & Associates or the Therapist to the other;
  2. Containment and minimization of the breach;
  3. Assessment of the risk of access to the personal health information (was it encrypted?)
  4. Notification to the client if the risk of access to the client personal health information is necessary;
  5. Investigation of the circumstances that lead to the breach;
  6. Implementation of improved processes to prevent future breaches of similar type;
  7. Updated privacy training, as needed;
  8. Reporting to the regulator, as required by law.

Principle 8 – Openness about Personal Health Information.

Information about our policies and practices relating to our management of personal health information are available to the public, including:

  • Contact information for our Privacy Officer, to whom complaints or inquiries can be made;
  • The process for obtaining access to personal health information we hold, and making requests for its correction;
  • A description of the type of personal health information we hold, including a general account of our uses and disclosures; and
  • A description of how a client may make a complaint to Margarita Rabinovich, RP & Associates at margarita@mindfulnesstherapyservices.ca about Therapist privacy practices, or to the Information and Privacy Commissioner of Ontario.

Principle 9 – Client Access to Personal Health Information.

Clients may make written requests to have access to their records of personal health information.

We will respond to a client’s request for access within reasonable timelines and costs to the client, as governed by law. We will take reasonable steps to ensure that the requested information is made available in a format that is understandable.
 
Clients who successfully demonstrate the inaccuracy or incompleteness of their personal health information may request that we amend their information. In some cases, instead of making a correction, clients may ask to append a statement of disagreement to their file.

Please Note: In certain situations, we may not be able to provide access to all of the personal health information we hold about a client, such as where the access could reasonably be expected to result in a risk of serious harm or the information is subject to legal privilege.

Client Access to Information

With limited exceptions, we are required by law to give clients who make requests in writing access to their records of personal health information within 30 days (subject to a time extension of up to an additional 30 days if necessary and with notice to the person making the request).

  • Requests to Access
    • Client requests (or by a client’s substitute decision-maker or with consent of the client) for their own information should be made in writing.
    • If a request for access is made directly to the Therapist, the Therapist shall direct the client to Margarita Rabinovich, RP & Associates’s usual process for release of records. That usual process shall include consultation between Margarita Rabinovich, RP & Associates and the Therapist and any decision regarding access shall be solely that of the Therapist. Margarita Rabinovich, RP & Associates may assist the client with locating the desired information/document in the record. Because records may be difficult to read and interpret and may mislead or alarm a client, clients will be encouraged to review the records with Margarita Rabinovich, RP & Associates (or a delegate) so the information can be explained.
    • If a client wishes to read the original health record, someone must be present to ensure the records are not altered or removed. Clients may not make notes on the original health record or remove originals from the health record or otherwise alter their health records. If a client requests a copy of a health record, copies may be given and fees may be applied.
    • The original of the written request for access will be placed with the client’s records and must contain the following:
      • A description of what information is requested
      • Information sufficient to show that the person making the request for access is the client or other authorized person
      • The signature of the client or other authorized person and a witness to the signature
      • The date the written request was signed
    • A notation shall be made in the record (e.g. a handwritten note) stating:
      • What information or records were disclosed
      • When the information or records were disclosed
      • By whom the information or records were disclosed
  • Denying Client Access to Health Records  In certain situations, we may refuse a client’s request for access to all or part of a health record. Exceptions to the right of access requirement must be in accordance with law and professional standards. Reasons to deny access to a health record (or part of a health record) may include:
    • The information is subject to a legal privilege that restricts disclosure to the individual
    • The information was collected or created primarily in anticipation of or for use in a proceeding (and that proceeding and any appeals have not been concluded)
    • The information was collected or created in the course of an inspection, investigation or similar procedure authorized by law or undertaken for the purpose of the detection, monitoring or prevention of a person’s receiving or attempting to receive a benefit to which the person is not entitled under law (and the inspection or investigation have not been concluded)
      • If granting access could reasonably be expected to:
        • Result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person
        • Lead to the identification of a person who was required by law to provide information in the record
        • Lead to the identification of a person who provided information explicitly or implicitly in confidence (if it is appropriate to keep that source confidential)

Clients must be told if they are being denied access to their own health records. In such cases, clients have a right to complain to the Information and Privacy Commissioner of Ontario, and must be told of this right and how to reach the Commissioner’s office.

Correction of Health Records

We have an obligation to correct personal health information if it is inaccurate or incomplete for the purposes it is to be used or disclosed.

Clients may request that their health information be corrected if it is inaccurate or incomplete. Such requests must be made in writing and must explain what information is to be corrected and why.

We must respond to requests for correction within 30 days (or seek an extension of up an additional 30 days but only if we have let the client know, in writing). Corrections are made in the following ways:

  • Striking out the incorrect information in a manner that does not obliterate the record or
  • If striking out is not possible:
    • Labelling the information as incorrect, severing it from the record, and storing it separately with a link to the record that enables Margarita Rabinovich, RP & Associates or the Health Information Custodians to trace the incorrect information, or
    • Ensuring there is a practical system to inform anyone who sees the record or receives a copy that the information is incorrect and directing that person to the correct information.

The record will not be corrected if:

  • The record was not originally created by the Health Information Custodians and the Health Information Custodians does not have the knowledge, expertise or authority to correct the record, or
  • The record consists of a professional opinion which was made in good faith.

If we choose not to correct a record, the client must be informed in writing. The client will have the choice to submit a statement of disagreement, which will be scanned onto the health record and released any time the information that was asked to be corrected is released. In these cases, clients have a right to complain to the Information and Privacy Commissioner of Ontario.

Principle 10 – Challenging Compliance with Margarita Rabinovich, RP & Associates’s Privacy Policies and Practices.

Any person may ask questions or challenge our compliance with this policy or with PHIPA by contacting our Privacy Officer or the Health Information Custodian that provided care to you.

We will receive and respond to complaints or inquiries about our policies and practices relating to the handling of personal health information. We will inform clients who make inquiries or lodge complaints of other available complaint procedures.

We will investigate all complaints. If a complaint is found to be justified, we will take appropriate measures to respond.

The Information and Privacy Commissioner of Ontario oversees compliance with privacy rules and PHIPA. Any individual can make an inquiry or complaint directly to the Information and Privacy Commissioner of Ontario by writing to or calling:

2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8 Canada
Phone: 1 (800) 387-0073 (or (416) 326-3333 in Toronto)
Fax: 416-325-9195
www.ipc.on.ca 

Questions and Complaints:

If you have any questions about our privacy practices and procedures, we encourage you to contact:

Margarita Rabinovich, RP
margarita@mindfulnesstherapyservices.ca
905-928-3396

If we cannot satisfy or resolve your concerns, you have the right to file a complaint with your clinician’s regulatory body:

The College of Registered Psychotherapists of Ontario -CRPO
375 University Avenue, Toronto, Ontario M5G 2J5
Tel: (416) 479-4330
Fax: (416) 639-2168
Web: www.crpo.ca

The Ontario College of Social Workers and Social Service Workers -OCSWSSW
250 Bloor Street East, Suite 1000, Toronto, Ontario M4W 1E6
Tel: (416) 972-9882
Fax: (416) 972-1512
Web: www.ocswssw.org

Personal Data processed for the following purposes and using the following services:

Analytic:
Google Analytics
Personal Data: Cookies; Usage Data
Contacting the User
Contact form:
Personal Data: email address; first name; last name; various types of Data
Phone contact:
Personal Data: phone number
Mailing list or newsletter:
Personal Data: email address; first name; last name;
Usage Data
: Displaying content from external platforms:
Google Maps widget, Vimeo video and YouTube video widget
Personal Data: Cookies; Usage Data
Interaction with external social networks and platforms: Facebook Instagram Like button and social widgets
Personal Data: Cookies; Usage Data

Start living a more mindful life today.

Sign up below to receive the latest news from Margarita Rabinovich!