Chinook Health Solutions Ltd. Privacy Policy
Overview
ChinookHealth Solutions Ltd. ("Chinook," "we," "us," or"our") provides Beetons Clean, a cloud-hosted housekeeping softwareservice, to healthcare facilities and other organizations across Canada and theUnited States. We are committed to protecting the privacy and confidentialityof personal information in accordance with applicable privacy and healthinformation laws.
Legal Framework
Thispolicy is designed to comply with applicable privacy and health informationlaws including:
Canada:
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Provincial privacy laws (Alberta PIPA, BC PIPA, Quebec Act respecting the protection of personal information in the private sector)
- Provincial health information protection acts (Ontario PHIPA, Alberta HIA, BC E-Health Act, Saskatchewan HIPA, Manitoba PHIA, and others)
United States:
- Health Insurance Portability and Accountability Act (HIPAA)
- State comprehensive privacy laws (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and others)
- Applicable state health privacy laws
Definitions
Personal Information means information about anidentifiable individual, including names, email addresses, and photographs.
Personal Health Information (PHI) means anyinformation about an individual that relates to their health, healthcare, orpayment for healthcare that can identify them. In healthcare settings, thisincludes names and photographs when used to identify patients or residents.
Custodian/Covered Entity means the healthcare organization(such as long-term care facilities, skilled nursing facilities, assisted livingfacilities, and nursing homes) that has custody or control of PHI underapplicable health information laws.
Sensitive Personal Information includeshealth-related data (such as behavioral risk flags) and biometric information(such as photographs used for identification).
Information We Collect
Organization Information
- Organization name, address
- This information is generally considered public and is used for account setup and service delivery
Contact Information
- Names, email addresses of designated site contacts
- Collected for correspondence, account management, and service delivery
- Access restricted to authorized facility personnel with legitimate business need
Staff Information
- Staff names and user credentials for account access
- Used for user authentication and service delivery
- Accessible only through secure, role-based access controls
Resident/Patient Information (Healthcare Settings)
All resident/patient data entry is optional and controlled by thecustodian/covered entity. Data may be manually entered or imported fromPointClickCare (PCC) systems by facility staff.
Whenour software is used in healthcare contexts, the following informationconstitutes Personal Health Information under applicable laws:
- Names (first name, last name) - Used for scheduling cleaning events and managing cleaning records
- Admission, Discharge, Transfer Information - Used for scheduling cleaning events and managing cleaning records
- Photographs - Used to identify residents in care settings
- Safety and Behavioral Risk Indicators - Optional flags (aggressive behavior, fall risk, exit-seeking behavior) used to warn housekeeping staff of potential risks to or from residents
ThisPHI is collected and processed solely at the direction and under the control ofthe custodian/covered entity.
How We Use Information
Non-Healthcare Information
Weuse organizational, contact, and staff information to:
- Provide and support our software services
- Communicate with clients and users
- Manage accounts and billing
- Improve our services
Personal Health Information
Weprocess PHI exclusively as a service provider/business associate acting onbehalf of the custodian/covered entity:
- Store and process PHI only as directed by the custodian
- Limit access to designated Chinook technical and support personnel with legitimate business need
- Use PHI solely for service delivery and support
- Maintain PHI confidentiality and security as required by applicable health privacy laws
Legal Basis for Processing
Canada: We process personal information basedon consent (express or implied), legitimate business interests, or as otherwisepermitted under PIPEDA and substantially similar provincial laws.
United States: For covered entities, we process PHIas a business associate under HIPAA. For other personal information, we rely onlegitimate business interests, consent, or other lawful bases under applicablestate privacy laws.
Information Sharing and Disclosure
- We do not sell personal information
- We do not share personal information without proper authorization or legal requirement
- PHI is never disclosed except as directed by the custodian/covered entity or as required by applicable health privacy laws
- Information may be shared only with vetted service providers and contractors bound by equivalent confidentiality obligations
- Cross-border data transfers comply with applicable privacy laws and use appropriate safeguards
Security Measures
Weimplement comprehensive security measures appropriate to the sensitivity ofinformation processed:
Standard Security:
- Encryption of data in transit and at rest
- Secure access controls and authentication
- Regular security assessments and updates
- Privacy and security training for personnel and development partners
Enhanced PHI Protections:
- HIPAA-compliant administrative, physical, and technical safeguards
- Audit trails and access monitoring
- Incident response and breach notification procedures
- Regular security risk assessments
Data Retention
Weretain personal information:
- As necessary for service delivery and legal compliance
- For the duration of active customer relationships
- As required by applicable laws and regulations
- To resolve disputes or enforce agreements
Deletion: Organization data will be securelydeleted within 30 days upon written request from the organizationadministrator, subject to legal retention requirements.
Individual Rights
Yourrights regarding personal information vary by jurisdiction and may include:
Canada (PIPEDA and Provincial Laws):
- Right to access your personal information
- Right to request correction of inaccurate information
- Right to withdraw consent where applicable
- Right to file complaints with privacy commissioners
United States:
- HIPAA Rights: Access, amendment, and accounting of disclosures (exercised through your healthcare provider)
- State Privacy Law Rights (where applicable): Access, correction, deletion, data portability, and opt-out rights
Exercising Rights: Contact us at the information below.For PHI-related requests, please contact your healthcare provider directly.
International Data Transfers
Whenwe transfer personal information across borders, we implement appropriatesafeguards:
- Standard contractual clauses
- Adequacy determinations
- Other lawful transfer mechanisms as required by applicable privacy laws
Policy Updates
Wemay update this Privacy Policy to reflect changes in our practices, services,or legal requirements. Material changes will be communicated throughappropriate channels including email notification and website posting.
Contact Information
Privacy Officer:
Email: privacyteam@chinookhealthsolutions.com
For PHI-related inquiries: Please contact your healthcareprovider or organization's privacy officer.
Regulatory Contacts:
- Canada: Office of the Privacy Commissioner of Canada or your provincial privacy commissioner
- United States: U.S. Department of Health and Human Services (HIPAA) or relevant state attorney general
By using our software services, you acknowledge that you have read,understood, and agree to this Privacy Policy and consent to the collection,use, and disclosure of information as described herein, subject to applicablelegal requirements.