Privacy Policies

AlayaCare’s Commitment to Privacy 

Effective as of November 1, 2020 

AlayaCare’s Privacy Policies set out the key elements of how we address the privacy and security of the data and other information entrusted to us: 

  • by our customers through their access and use of the AlayaCare electronic health record platform including its related mobile applications and other online services, e.g. our family/patient portals (collectively, Services),  
  • by our business partners and specific third-party providers of key services to us; and 
  • by everyone else, including prospective customers, those who seek information or contact us through our website, and users of our software other than our corporate customers, including care providers and contractors who work with our customers.

As privacy laws and practices evolve, we may amend this Policy from time to time. While we will endeavour to give reasonable notice of such changes, we do reserve the right to do so without prior notice where it is necessary (e.g. required by legal changes). For our customers, we will endeavor to communicate any changes and updates as provided in our contracts and also through the communication channels provided in our software platform. 

For any questions, requests or concerns regarding privacy you can contact us anytime at privacy@alayacare.com and we’ll respond to you within 24 hours. 

Our Privacy Policies explain what Personal Information (see our Glossary of Terms for definitions and explanations of key terms) we collect, why we collect it, how we use it, and how we take instructions regarding the protection and management of this information. For health data and other information provided to us through our Services, we have contracts (Provider Agreementswith our customers that provide specific provisions relating to their use of that information in their provision of home care and home health servicesThis Privacy Policy supplements specific provisions in those Provider Agreements, however in the event of a conflict, the Provider Agreement will control. In addition, we enter into Business Associate Agreements (BAAs) with our Customers in the US pursuant to HIPAA. 

AlayaCare’s SaaS Platform Privacy Policy – for Our Customers 

Overview 

This section of our Privacy Policy describes how we collect, receive, use, store, share, transfer, and process Customer Data on behalf of our customers as part of our Services 

We process Customer Data under the direction and control of our customers. We retain no ownership of, nor do we have control over the origination or validity of the Personal Data we process on behalf of our customers. Wdo not request, nor do we maintain, direct relationships with individuals whose Personal Data we maintain in Customer Databases we host and manage as part of our Services to our Customers. Accordingly, we do not directly request nor collect consents nor instructions to access, correct, update or delete personal information, which requests should be made directly to our Customers. We will honor and support any instructions they provide us with respect to Personal Data maintained in our databases.  

Our Customers are responsible for complying with any regulations or laws that require providing notice, disclosure, and/or obtaining consent prior to transferring the Personal Data to AlayaCare and its software platform 

If you are a home care / home health service worker and have questions about personal or health information, either yours or a client’s, you should check with your home care/ home health agency. 

Protecting Personal Information and Health-related Information 

AlayaCare is a provider of hosted, electronic health record solutions to its Customers who health care providers and subject to laws and regulations governing the use and disclosure of Protected Health information or PHI.  In Canada, provincial laws govern the handling of PHI (see Table 1: Applicable Privacy Laws).  In the United States, HIPAA and HITECHalong with the regulations adopted under those statutes, and similar state laws (where those laws are more stringent than HIPAA) govern the handling of PHI in the United States. Health care providers are considered to be Covered Entities under HIPAA and are subject to its rules regarding PHI. AlayaCare, delegated by its Customers to access and manage PHI, is considered a Business Associate under HIPAA and a Business Associate Agreement or BAA is required between AlayaCare and the Covered Entity. Our standard form of BAA can be found here.

Although the terminology differs in Canada (many provinces use the term “Custodian” in lieu of “Covered Entity”) and there isn’t an equivalent to a Business Associate or a BAAAlayaCare applies the same rigorous standards and practices for safeguarding the confidentiality, integrity and accessibility of PHI in all jurisdictions. 

Security, Threats and Breach Notification 

AlayaCare’s software platform and the Services we deliver have physical, administrative and technical security measures in place to protect against the loss, misuse, unauthorized access and alteration of data and Personal Information under our direct control.  When the Services are accessed using current browser technology, Secure Socket Layer or SSL technology protects information using both server authentication and data encryption to help ensure that data is safe, secure, and available only to each specific CustomerAlayaCare also implements an security methodology based on dynamic data and encoded session identifications and hosts the Service in a secure server environment which uses firewalls and other advanced technology to prevent interference or access from outside intruders. Unique usernames and passwords are also required and must be entered each time a customer logs into the Service.  We are committed to educating our staff about the protection of Personal Information, and the importance of compliance with relevant privacy legislation and company policies.  All employees and contractors are required to sign confidentiality agreements.  

These safeguards help prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of Personal Information; however, it is important to remember that no system can guarantee 100% security at all times. In the event that we detect a threat to security or security vulnerability, we may attempt to contact our Customers to recommend protective measures. Additionally, incidents of suspected or actual unauthorized handling of Personal Information are always directed to AlayaCare’s Legal and Compliance team, which is responsible for determining escalation and response procedures, depending on the severity and nature of the incident. Incidents involving unauthorized handling of PHI or equivalent will be governed by relevant legislation (and a BAA where applicable). If AlayaCare determines that Personal Information has been misappropriated or otherwise wrongly acquired, it will promptly issue a report to each affected Customer. 

For our Customers who subscribe to or otherwise license Embedded Technologies or Connected Services, it is important to note that the third parties who provide those services may have different procedures in place to protect Personal Information than the standards AlayaCare has implemented. AlayaCare cannot be responsible for their policies or their compliance with them, regardless of whether we have integrated their solutions into our Services and/or made them available to you. 

Retention and Deletion 

AlayaCare will retain Personal Information: as necessary for the purposes outlined in this Policy; 

  • as required to manage and administer the Services;  
  • as required to carry out any legal responsibilities (e.g., legal holds and other legal procedures);  
  • to resolve a dispute (including enforcement of a contract); or, 
  • as expressly communicated to a Customer at the time of collection.  

For as long as a Customer’s account remains active, and then until all applicable retention periods have expired, we will retain all Personal Information in a manner designed to ensure that it cannot be reconstructed or read. Following such periods, if is not feasible for us to delete or destroy such retained Personal Information, we will continue using the same safeguards of protection and security outlined in this Policy and related subordinate policies, for as long as it cannot be destroyed.  

Collection of and Permitted Uses of Personal Information 

AlayaCare may collect Personal Information from its Customers or from its Customers’ end users directly via the use of its software platform or via other interfaces with authorized healthcare information providers, including but not limited to the following Personal Information: 

  • Patient demographic information 
  • Patient medical history 
  • Remote patient monitoring data 
  • Reports created by employees of our Customers during healthcare interventions with their clients 
  • Time and attendance data (including geolocation) related to visits with patients 
  • We may also collect system information to diagnose and debug software issues. Such information may be linked with Personal Information contained in a Customer account, so it may be regarded as Personal Information. 

AlayaCare does not use nor disclose Personal Information for purposes other than those for which it was collected, except with its Customers’ consent (including contractual consent) or as required by law. 

AlayaCare will use Personal Information as required to optimize the Services we provide to our Customers, to provide updates for the Services and to provide support and maintenance services. We may also use aggregated usage information for statistical purposes, e.g. showing the total traffic through one of our servers. We may also use usage information to evaluate and improve the features and functionality of our Services. 

Sharing and Disclosure. IN NO CASE WILL ALAYACARE SELL OR RENT PERSONAL INFORMATION TO THIRD PARTIES. AlayaCare will only share Personal Information to the following: 

  • Service providers that facilitate our Services, provide any or all part of the Services on our behalf or help us improve the Services (for example, data storage, web analytics, mapping providers and maintenance service providers). These services providers have access to Personal Information only for purposes of performing these tasks on our behalf; and 
  • Law enforcement officials, governmental agencies, or other legal authorities (i) in response to their request; (ii) when permitted or required by law; (iii) to establish our compliance with applicable laws, rules, regulations, or guidelines; or (iv) or to establish, protect, or exercise our legal rights or defend against legal claims or demands. 
  • Any other person whom you authorize the disclosure to pursuant your usage of the Applications. 
  • We may also share with third parties certain aggregated non-personal information about our users. 

Data Residency 

Unless otherwise specified, AlayaCare hosts each Customer’s production database in the Customer’s country of residence. AlayaCare may provide certain support Services from its headquarters in Canada, and in such cases AlayaCare may access a Customer’s data from Canada for purposes of, for example: responding to support requests; fixing software issues; or, providing services to a Customer that can only be performed on the “back end” of our software platform (e.g., correcting errors in specified Customer Data, adding/removing a Customer’s data in the event of a purchase/sale/change in management, or performing simulation testing of our disaster recovery plans). Further information on data residency is set out here.

AlayaCare’s General Privacy Policy – Interacting with www.alayacare.com 

In addition to the uses identified elsewhere in this Privacy Policy, we may use your Personal Information to: 

  • improve your browsing experience by personalizing the Websites and to improve the Subscription Service; 
  • send information to you which we think may be of interest to you by post, email, or other means and send you marketing communications relating to our business; 
  • promote use of our services to you and share promotional and information content with you in accordance with your communication preferences; 
  • provide other companies with statistical information about our users -- but this information will not be used to identify any individual user and will only be shared on an aggregate and de-identified basis; 
  • contact you about billing, account management, and other administrative matters; 
  • send information to you regarding changes to our Customer Terms of Service, Privacy Policy (including the Cookie Policy), or other legal agreements; 
  • investigate and help prevent security issues and abuse; and 
  • meet legal requirements. 

We may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, we do not transfer your Personal Information to the third party. 

We use Navigational Information to operate and improve the Websites and to provide you with a better experience when you interact with AlayaCare Software. Navigational Information, such as IP address, is used to approximate your location. 

You may disable the collection and use of your location data through browser, operating system or device-level settings. Consent concerning location data may be withdrawn at any time by providing us with email notice at privacy@alayacare.com. 

If you receive promotional emails from us and you no longer wish to receive any such emails, you may follow the unsubscribe instructions in each of the email communications you receive.  

Customer Testimonials and Comments 

We post customer testimonials and comments on our Websites, which may contain Personal Information. We obtain each customer's consent via email prior to posting the customer's name and testimonial. 

As you browse AlayaCare’s website, advertising cookies will be placed on your computer so that we can understand what you are interested in. Our display advertising partner then enables us to present you with retargeting advertising on other sites based on your previous interaction with AlayaCare. The techniques our partners employ do not collect personal information such as your name, email address, postal address or telephone number.  

Glossary of Terms 

Personal Information.  Information that is used by a government authority, financial institution or insurance carrier to distinguish a person from other individuals (e.g., social insurance number, social security number, credit card information, or insurance policy number) is private.  Such information can be used to identify an individual (e.g., a person who works at a healthcare facility, or a resident in a healthcare facility).  Certain information may be used to contact a person directly (e.g., an email address, home mailing address or home telephone number).  Depending on the jurisdiction, the above identifiers are considered to be Personal Information (“PI”), Personally Identifiable Information (“PII”), Sensitive Personal Information (“SPI”) or a similar term, and it is private. An individual’s business contact information and business title generally are exempt from privacy laws.  Information about an individual’s health, including insurance and billing information, is also considered – depending on the jurisdiction – to be PI, Personal Health Information (“PHI”), Protected Health Information (also known as “PHI”), Individually Identifiable Health Information (“IIHI”) or a similar term, and it also is private. In Canada and the United States, the laws that primarily govern how we deal with the PI, PII, SPI, PHI and IIHI which you provide to us are listed in the table ‘Applicable Privacy Laws  

Connected Services are certain, specified software functions or related services provided by a third-party software developer or information system provider which AlayaCare makes accessible via, and interoperable with, the AlayaCare platform.  

Customer Data means the electronic health records of clients and users of AlayaCare Customers and other information which would be considered Personal Information under applicable law.  

Embedded Technologies are certain, specified software functions or related services provided by a third-party software developer or information system provider which AlayaCare embeds into its own software platform and makes it available for subscription by its Customers. 

 

Applicable Privacy Laws 

Applicable Law 

Type of Personal Information Governed by the Law 

Jurisdiction 

HIPAA -- Health Insurance Portability and Accountability Act of 1996, P.L. 104-191 

Protected Health Information 

United States 

HITECH -- Health Information Technology for Economic and Clinical Health Act of 2009, P.L. 111-5, Title XIII 

Health Information and Individually Identifiable Health Information 

United States 

Privacy Act 1988 (Cth), the Autralian Privacy Principles, and all applicable Privacy Codes 

Personal Information, including health information, about an identified individual, including information about a person’s private life, working information, or any related commentary. 

Australia 

Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth) 

Commercial electronic messages, other than designated commercial electronic messages or those sent with consent. 

Australia 

Personal Information Protection and Electronic Documents Act, SC 2000, c. 5 

“An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions….” 

Personal Health Information is expressly excluded from Part 1 (“Protection of Personal Information in the Private Sector”). 

Canada 

Canada’s Anti-Spam Legislation 

S.C. 2010, c. 23 

“An act to promote… the economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities….”  

Requires express or implied consent to send commercial electronic messages (e.g., emails, texts and instant messages). 

Canada 

Personal Information Protection Act, SBD 2003, c. 63 

Personal Information (including that relating to the mental or physical health of individuals) 

British Columbia 

Alberta Health Information Act, RSA 200, c. H-5 

Health Information 

Alberta 

Health Information Protection Act, SS 1999, c. H-0.021 

Personal Health Information 

Saskatchewan 

Personal Health Information Act, CCSM, c. P33.5 

Personal Health Information 

Manitoba 

Personal Health Information Protection Act, SO 2004, c. 3, Sch. A 

Personal Health Information 

Ontario 

Personal Health Information Privacy and Access Act, SNB 2009, c. P-7.05 

Personal Health Information 

New Brunswick 

Personal Health Information Act, SNS 2010, c. 41 

Personal Health Information 

Nova Scotia 

Health Information Act, Bill Number 42 of the 64th General Legislative Assembly, 4th Session, 2014 (soon to be in force) 

Personal Health Information 

Prince Edward Island 

Note:  Where the law of a US state is more protective of PHI than HIPAA, it will apply.  Where it is less protective, HIPAA will apply.