Chinook Health Solutions Ltd. Privacy Policy

Overview

Chinook Health Solutions Ltd. ("Chinook," "we," "us," or "our") provides Beetons Clean, a cloud-hosted housekeeping software service, to healthcare facilities and other organizations across Canada and the United States. We are committed to protecting the privacy and confidentiality of personal information in accordance with applicable privacy and health information laws.

Legal Framework

This policy is designed to comply with applicable privacy and health information laws including:

Canada
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Provincial privacy laws (Alberta PIPA, BC PIPA, Quebec Act respecting the protection of personal information in the private sector)
  • Provincial health information protection acts (Ontario PHIPA, Alberta HIA, BC E-Health Act, Saskatchewan HIPA, Manitoba PHIA, and others)
United States
  • Health Insurance Portability and Accountability Act (HIPAA)
  • State comprehensive privacy laws (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and others)
  • Applicable state health privacy laws

Definitions

Personal Information means information about an identifiable individual, including names, email addresses, and photographs.

Personal Health Information (PHI) means any information about an individual that relates to their health, healthcare, or payment for healthcare that can identify them. In healthcare settings, this includes names and photographs when used to identify patients or residents.

Custodian/Covered Entity means the healthcare organization (such as long-term care facilities, skilled nursing facilities, assisted living facilities, and nursing homes) that has custody or control of PHI under applicable health information laws.

Sensitive Personal Information includes health-related data (such as behavioral risk flags) and biometric information (such as photographs used for identification).

Information We Collect

Organization Information
  • Organization name, address
  • This information is generally considered public and is used for account setup and service delivery

Contact Information
  • Names, email addresses of designated site contacts
  • Collected for correspondence, account management, and service delivery
  • Access restricted to authorized facility personnel with legitimate business need
Staff Information
  • Staff names and user credentials for account access
  • Used for user authentication and service delivery
  • Accessible only through secure, role-based access controls

Resident/Patient Information (Healthcare Settings)

All resident/patient data entry is optional and controlled by the custodian/covered entity. Data may be manually entered or imported from PointClickCare (PCC) systems by facility staff.

When our software is used in healthcare contexts, the following information constitutes Personal Health Information under applicable laws:

  • Names (first name, last name) – Used for scheduling cleaning events and managing cleaning records
  • Admission, Discharge, Transfer Information – Used for scheduling cleaning events and managing cleaning records
  • Photographs – Used to identify residents in care settings
  • Safety and Behavioral Risk Indicators – Optional flags (aggressive behavior, fall risk, exit-seeking behavior) used to warn housekeeping staff of potential risks to or from residents

This PHI is collected and processed solely at the direction and under the control of the custodian/covered entity.

How We Use Information

Non-Healthcare Information

We use organizational, contact, and staff information to:

  • Provide and support our software services
  • Communicate with clients and users
  • Manage accounts and billing
  • Improve our services
Personal Health Information

We process PHI exclusively as a service provider/business associate acting on behalf of the custodian/covered entity:

  • Store and process PHI only as directed by the custodian
  • Limit access to designated Chinook technical and support personnel with legitimate business need
  • Use PHI solely for service delivery and support
  • Maintain PHI confidentiality and security as required by applicable health privacy laws
Legal Basis for Processing

Canada: We process personal information based on consent (express or implied), legitimate business interests, or as otherwise permitted under PIPEDA and substantially similar provincial laws.

United States: For covered entities, we process PHI as a business associate under HIPAA. For other personal information, we rely on legitimate business interests, consent, or other lawful bases under applicable state privacy laws.

Information Sharing and Disclosure

  • We do not sell personal information
  • We do not share personal information without proper authorization or legal requirement
  • PHI is never disclosed except as directed by the custodian/covered entity or as required by applicable health privacy laws
  • Information may be shared only with vetted service providers and contractors bound by equivalent confidentiality obligations
  • Cross-border data transfers comply with applicable privacy laws and use appropriate safeguards

Security Measures

We implement comprehensive security measures appropriate to the sensitivity of information processed.

Standard Security:
  • Encryption of data in transit and at rest
  • Secure access controls and authentication
  • Regular security assessments and updates
  • Privacy and security training for personnel and development partners
Enhanced PHI Protections
  • HIPAA-compliant administrative, physical, and technical safeguards
  • Audit trails and access monitoring
  • Incident response and breach notification procedures
  • Regular security risk assessments
Data Retention

We retain personal information:

  • As necessary for service delivery and legal compliance
  • For the duration of active customer relationships
  • As required by applicable laws and regulations
  • To resolve disputes or enforce agreements

Deletion: Organization data will be securely deleted within 30 days upon written request from the organization administrator, subject to legal retention requirements.

Individual Rights

Your rights regarding personal information vary by jurisdiction and may include:

Canada (PIPEDA and Provincial Laws)
  • Right to access your personal information
  • Right to request correction of inaccurate information
  • Right to withdraw consent where applicable
  • Right to file complaints with privacy commissioners

United States
  • HIPAA Rights: Access, amendment, and accounting of disclosures (exercised through your healthcare provider)
  • State Privacy Law Rights (where applicable): Access, correction, deletion, data portability, and opt-out rights

Exercising Rights: Contact us at the information below. For PHI-related requests, please contact your healthcare provider directly.

International Data Transfers

When we transfer personal information across borders, we implement appropriate safeguards:

  • Standard contractual clauses
  • Adequacy determinations
  • Other lawful transfer mechanisms as required by applicable privacy laws

Policy Updates

We may update this Privacy Policy to reflect changes in our practices, services, or legal requirements. Material changes will be communicated through appropriate channels including email notification and website posting.

Contact Information

Privacy Officer:

Email: privacyteam@chinookhealthsolutions.com

For PHI-related inquiries: Please contact your healthcare provider or organization's privacy officer.

Regulatory Contacts:

  • Canada: Office of the Privacy Commissioner of Canada or your provincial privacy commissioner
  • United States: U.S. Department of Health and Human Services (HIPAA) or relevant state attorney general

By using our software services, you acknowledge that you have read, understood, and agree to this Privacy Policy and consent to the collection, use, and disclosure of information as described herein, subject to applicable legal requirements.