Medical Spa Club Privacy Policy


We take privacy very serious and are committed to respecting and protecting your personal information in accordance with the British Columbia Personal Information Protection Act (PIPA).  This privacy policy details how the Medical Spa Club, collects, uses and handles your personal information and how to contact us should you have questions and concerns about our management of your personal information.  Obtaining your consent is crucial to protecting your personal information.  We only handle your personal information in a manner that a reasonable person would consider appropriate in the circumstances.

Our goal is to protect our patients and those employed in our organization against privacy / security threats that could jeopardize their privacy, reputation and business outcomes.

This privacy policy applies to all of the patients and employees of the organization, including temporary employees and visitors.  Compliance with the policies outlined in the Privacy Policy is compulsory.

This privacy policy may be updated without notice.

Privacy Policy Definitions

CHIEF EXECUTIVE OFFICER – CEO  The Chief Executive Officer to have overall administrative responsibility for the Medical Spa Club.  Accountable for all aspects of the Medical Spa Club’s privacy information.




“Closed Circuit Television” – data transmit of audio and video to television monitors, not computer screens.


COLLEGE – CPSBC The College of Physicians and Surgeons of British Columbia; the provincial regulatory body of British Columbia that governs the physicians and surgeons.




Information that would enable an individual to be contacted at a place of business and includes name, position name or title, business telephone number, business address, business email or business fax number.  Contact information is not covered by this policy or Personal Information Protection Act.




Individuals who are employed full or part-time (including locums and students and visiting vendors) at the Medical Spa Club.  Individuals who meet and support the privacy policies and report any attempted privacy breaches to the Privacy Officer.




Collectively, all employees at the Medical Spa Club and are subject to the provisions of these Privacy Policies.




Individual responsible for maintaining the privacy documents, ensuring all employees are trained on privacy procedures responds to privacy incidents and determines the privileges and access rights to the resources at Medical Spa Club.  Responsible for ensuring the Organization complies with this Privacy Policy and Personal Information Protection Act.



PATIENT An individual giving their consent to receive medical service from a physician.


PIPA  “Personal Information Protection Act” – British Columbia’s Personal Information Protection Act came into effect on January 1, 2004 and sets out the ground rules for how B.C. businesses and not-for-profit organizations may collect, use and disclose personal information.


PERSONAL HEALTH INFORMATION In the context of physician-patient context, it is confidential information entrusted by the patient to the physician/clinic.  This physician content of the information is owned and guarded by the physician/clinic, and is used to link or match with other information in order to identify a patient.  This information included, but is not limited to, demographic information, medical history, tests, laboratory results, insurance information and healthcare data to determine appropriate medical/health care.




 Information about an identifiable individual, which includes and is not limited to name, age, home address and phone number, social insurance number, marital status, religion, income, medical information, education, employment information.


PHYSICIAN A person awarded the degree of doctor of medicine (M.D.), licensed in independent medical practice and in good standing with the College of Physicians and Surgeons of British Columbia.



POLICY 1 – Collection, Use and Disclosure of Personal Information

1.1 Collection of Personal / Contact Information

  • The Organization shall collect personal / contact information that is required to provide care, administrate the care that is provided, communicate with patients, and maintain a safe environment for the patients and staff. Unless the purposes for collecting personal information are obvious and the patient voluntarily provides his or her personal information for those purposes, we will communicate the purposes for which personal information is being collected, either orally or in writing, before or at the time of collection.  The Organization shall not collect any other information, or allow information to be used for other purposes, without the patient’s express consent – except where authorized to do so by law. These limits on collection ensure that we do not collect unnecessary information.
  • We collect the following patient personal / contact information:
    • Name
    • Date of birth
    • Provincial/territorial health insurance plan (health card) number
    • Private medical insurance details
    • Phone Number
    • Residential Address
    • Email Address
    • Credit card information
  • Patient personal health information, which may include
    • Medical history
    • Health Insurance information
    • Presenting symptoms , examinations, treatments, lab reports, diagnostic studies
    • Images (Before & After procedures)
  • We collect the following staff personal / contact information:
    • Name
    • Date of birth
    • Phone Number
    • Residential Address
    • Email Address
    • Social Insurance Number

1.2 Use of Personal Information

  • Personal information collected from patients is used by this Organization for the purposes of:
    • Identification and contact
    • Provision and continuity of care
      • Historical record
      • Health promotion and prevention
    • Administrate the care that is provided
      • Prioritization of appointment scheduling
      • Billing provincial health plan
    • Professional requirements
      • Risk or error management
    • Research studies and trials when applicable
    • Processing payment
  • Unless requested by the patient, the Organization may contact you via email or phone in the future to inform you about products or services, or changes to administration/management procedures.
  • Personal information collected from staff is used by this Organization for the purposes of:
    • Identification and contact
    • Administrate the employee
    • Processing Wages
    • Security

Policy 2 -Consent

2.1 Implied Consent (Disclosures to Other Physicians)

  • Unless otherwise indicated, patients have provided their consent to the use of their personal information and relevant health information for the purposes of providing them with care, including sharing the information with other health providers involved in their care.
    • The patient’s express consent (oral or written) is required before the Organization discloses information to third parties for any purpose other than to provide care or unless authorized to do so by law. Situations involving disclosures to third parties include (but are not limited to):
      • Third party medical examinations
      • Provision of charts or chart summaries to insurance companies

2.2 Consent Process

  • Consent can be provided orally, in writing, and/or electronically or it can be implied where the purpose for collecting using or disclosing the personal information would be considered obvious and the patient voluntarily provides personal information for that purpose.

2.3 Not-Opting Out

  • Consent may also be implied where a patient is given notice and a reasonable opportunity to opt-out of his or her personal information being used for mail-outs, and the patient does not opt-out.

2.4 Withdrawal of Consent

  • Patients, at any time, have the authority to withdraw consent to have their information shared with other health providers and third parties.
  • If a patient chooses to withdraw their consent, the Physician will discuss any significant consequences that might result with respect to their care and treatment (e.g., possible negative impact on the care provided).

2.5 Without Consent (Disclosures Mandated or Authorized by Law)

  • There may be a situation(s) where the Organization is legally required to disclose personal information without the patient’s consent. These situations include (but are not limited to):
  • Billing provincial health plans
  • Reporting specific diseases
  • Reporting abuse (child, elder, spouse, etc.)
  • Reporting fitness (to drive, fly, etc.)
  • By court order (when subpoenaed in a court case)
  • In regulatory investigations
  • For quality assessment (peer review)
  • For risk and error management, e.g., medical-legal advice
  • In an emergency that threatens an individual’s life, health or personal security
  • For the purposes of collecting a debt
  • To protect ourselves from fraud

Policy 3 – Using and Disclosing Personal Information

3.1 Necessary Purposes

  • The Organization shall use or disclose patient personal information where necessary to fulfill the purposes identified at the time of collection or for a purpose reasonably related to those purposes such a, (but not limited to) to conduct medical services pertinent to the patient’s health

3.2 Obtaining Consent

  • The Organization shall not use or disclose patient personal information for any additional purpose unless we obtain consent to do so.

3.3 No Sell or Rent

  • The Organization is the sole owner of the information collected on site; we do not sell or rent the information to anyone.

Policy 4 – Safeguards to Retain Personal Information

4.1 Record Retention

  • The Organization is required by law to retain patients medical records for at least 15 years from the date of last entry or, in the case of minors, 15 years from the time the patient would have reached the age of majority.
  • The Organization shall store records in electronic format within our Electronic Medical Record (EMR) software
  • When records are deemed no longer necessary, upon expiry of the 15 years’ time period, they will be safely deleted from the electronic storage.

4.2 Retention Extension

  • Subject to policy 4.1, the Organization will retain patient personal information only as long as necessary to fulfill the identified purposes or a legal or business purpose.

Policy 5 – Ensuring Accuracy of Personal Information

5.1 Accuracy of Information

  • The Organization will make reasonable efforts to ensure that patient personal information is accurate and complete where it may be used to make a decision about the patient or disclosed to another organization.

5.2 Revision Request

  • Should a patient discover inaccurate information in their personal health records, the patient can request for revisions in order to ensure its accuracy and completeness.  A request to correct personal information must be made in writing and provide sufficient detail to identify the personal information and the correction being sought.

5.3 Correction of Information

  • If the personal information is demonstrated to be inaccurate or incomplete, the Organization will correct the information as required and send the corrected information to any organization to which we disclosed the personal information in the previous year.  If the correction is not made, we will note the patients ‘correction request in the file.
  • All changes shall be made with the authorization of the Physician.

Policy 6 – Safeguards to Secure Personal Information

6.1 Security Measures

  • The Organization uses the following physical safeguards:
    • Limited access to office
      • Monitored alarm system
      • Video Surveillance, refer to Policy 8 Use of CCTV
      • Lockable doors that separate the public and private area where patients receive medical consultations and examinations
    • Limited access to records
      • File cabinets with medical records are stored in a staff restricted access area
  • The Organization uses the following technological safeguards:
    • Password protected computer access for patient health information
    • System protections
      • Firewall software
      • Virus scanning software
    • External electronic communications – Internet
      • Sensitive information is not regularly sent via email; personal and confidential information is typically disclosed by the Physician verbally to the patient.
    • Secure electronic record disposal
      • Destroy all data on computer hard drives prior to disposal
      • Destroy all other removable media (diskettes, CD-R, DVD)
      • Secure and encrypted credit card transmission (sensitive data is not stored/kept)
  • The Organization uses the following administrative safeguards:
  • Office information management practices
    • Access is on a need to know basis
    • Access is restricted to authorized users
    • Patients are escorted by a Physician or staff member to the consultation and / or examination room
    • Active desktop and laptops must be secured if left unattended – desktop will go into automatic sleep mode if it has been inactive for a certain period of time.
  • Staff signed confidentiality agreements as part of their employment contract (also extends beyond the term of employment).
    • Third party obligations
    • Contractual privacy clauses / agreements with third parties

6.2 Communication

  • The Organization is committed to protecting our patient’s personal information, regardless of format, and we take care of how information is communicated with our patients, staff and third parties that may be involved in our patients care. The Organization adhere to the following procedures to communicate personal information by:
    • Telephone
      • Patient preference with regards to phone messages will be taken into consideration
      • Unless authorized, we only leave our name and phone number on message for patients
    • Fax
      • Our fax machine is located in supervised staff only access restricted area
    • Email
      • Any confidential information sent over public or external networks is encrypted
      • Firewall and virus scanning software is in place to mitigate against unauthorized modification, loss, access or disclosure
    • Post/Courier
      • Sealed envelope
      • Marked confidential

6.3 Secure Disposal/Destruction of Personal Information

  • When information recorded on paper is no longer required, it is destroyed by shredding.
  • Before secure disposal by shredding, useful personal information will be scanned into patient’s electronic health record.
  • Electronic media storage records in the form of diskettes, tapes and CD-ROMS are not kept or archived at the Organization. Should the patient bring their health record to a consultation, the Physician may review the health information on such electronic media storage devices in his / her private consultation room in the presence of the patient.  The original media storage record will be returned to the patient.

6.4 Updates to Privacy Policy

  • The Organization will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security a minimum of every three (3) years.

Policy 7 – Providing Patients Access to Personal Information

7.1 Patient’s Right

  • Patients have a right to access their personal information, subject to limited exceptions.
  • Doctor-client privilege, if the disclosure would reveal personal information about another individual, health and safety concerns.

7.2 Request

  • A request to access personal information must be made in writing and provide sufficient detail to identify the personal information being sought.

7.3 Access to Information

  • Upon request, the Organization will also tell patients how we use their personal information and to whom it has been disclosed if applicable.
  • Should the records be in paper form, and the patient wished to view the original record, one of our staff would have to be present to maintain the integrity of the record. The patient would not be permitted to leave the premise with the original copy.

7.4 Request Period

  • The Organization will make the requested information available within thirty (30) business days, or provide written notice of an extension where additional time is required to fulfill the request.

7.5 Fee

  • A minimal fee may be charged for providing access to personal information.  Where a fee may apply, one of the staff will inform the patient of the cost and request further direction from the patient on whether or not to proceed with the request.

7.6 Limited Access / Refusal

  • If a request is refused in full or in part, the Organization will notify the patient in writing, providing the reasons for refusal and the recourse available to the patient.
  • Should there be risk to the patient or another person, than the patient may be denied access to their records. For example, when the information could reasonably be expected to seriously endanger the mental or physical health or safety of the individual making the request or another person.
  • Should the disclosure reveal personal information about another person who has not consented to the disclosure, the Organization will do their best to separate out this information and disclose only what is appropriate

Policy 8 – Use of CCTV

8.1 CCTV

  • The Organization uses Closed Circuit Television (CCTV) or video surveillance cameras for building security.
  • The Organization ensures that no one other than specifically authorized staff have the capability of viewing these images. Furthermore, we take special precautions to protect the privacy of CCTV video images, which include (but is not limited to):
    • There is no covert surveillance conducted on the premises.
    • Clearly visible signs are posted, ensuring that patients are aware of the existence of video cameras.
    • Equipment shall never monitor the inside of areas where patients and employees have a higher expectation of privacy (e.g. treatment rooms, change rooms and washrooms).
    • There are no video cameras that are used in private areas, such as washrooms, changing rooms or spa/patient treatment rooms.
    • Audio is never recorded.
    • Video surveillance is only recording during non-business hours, when staff and patience are typically at the organization.

8.3 Secure Location

  • All CCTV video images are stored in a secure location, with limited access, and are on a dedicated server.

8.31 CCTV Retention

  • All CCTV video images are automatically destroyed after a set period of time.

8.4 Staff

  • All staff must not disclose access or use information contained in the CCTV video surveillance system, its components, files, or database for personal reasons, nor dispose, destroy, erase or alter any record without proper authorization.

8.5 Access

  • Only the Privacy Officer may access the CCTV video equipment.

8.6 Training

  • The Organization is committed to providing our staff with training on the privacy and security issues involved with the use of video surveillance equipment, and the sensitivity required in such settings.

8.7 Audits

  • The Organization is committed to regular security and privacy audits conducted on an annual basis of the CCTV video surveillance system.

Policy 9 – Cookies

9.1 Usage

  • A cookie is a small file sent to your browser from a Web server to be stored on your computer. A cookie cannot give access to your computer or any information stored on your computer. The Organization uses cookies to allow our site to respond to you as an individual by gathering and remembering information about your preferences when using our site so when you next visit our facility, your preferences for using the site have already been set. Cookies are also used to personalize the content you view on the site.

9.2 Accepting / Declining

  • You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

Policy 10 –Roles & Protecting Personal Information

10.1 Accountability

  • The Chief Executive Officer / Privacy Officer are accountable for all aspects of the Organization’s Privacy Policy including (but not limited to):
    • Implement, maintain and distribute the Privacy Policy.
    • Responsible for the privacy of the IT infrastructure.
    • Ensure privacy training procedures are completed.
    • Respond to privacy breaches / incidents.
    • Determine the privileges and access rights to physical and electronic resources where personal information is stored.
  • The Physician at Medical Spa Club is accountable for the protection of the health records in his/her possession.
  • Employees at the Organization who assist with or provide patient care shall execute the actions and responsibilities outlined in the Privacy Policy for the appropriate use and disclosure of personal information.
  • Employees at the Organization who have access to personal information must adhere to the following information management practices:
    • Access is on a need to know basis
    • Access is restricted to authorized users
  • The Organization enforces privacy protections to commit that:
    • We protect the confidentiality of any personal information we access in the course of providing patient care
    • We collect, use and disclose personal information only for the purposes of providing care and treatment or the administration of that care, or for other purposes expressly consented to by the patient
    • We educate and train staff on the importance of protecting personal information, collection, use and disclosure of personal information

10.2 Patient Complaints

  • The Organization is sensitive to the needs and concerns of our patients and staff. We vow to acknowledge patient and staff concerns and respond to their needs in a professional and timely manner.  A patient or staff member who believes that the Organization has not responded to their access request or not handled their personal information in a reasonable manner is encouraged to address their concerns first with their Physician.
  • The Organization adheres to the following procedures for responding to patients or staff verbal or written complaints:
    • The patient may verbally or in writing file a formal complaint with any of the Organization’s staff members at any time. A formal complaints form can be provided by contacting the Organization.  The staff member shall immediately contactthe Organization’s Office Manager and / or Privacy Officer to discuss the complaint either in person or electronically (email, phone, text message).  Promptly and as soon as the business/patient schedulepermits, the Office Manager and / or Privacy Officer shall discuss the matter with the patient or staff in person.
    • A staff member may file a formal complaint by completing and submitting a complaints form to the Office Manager or Privacy Officer.
    • The complaint and a summary of the discussion will be recorded in the patient’s chart or staff employee file.
    • Patients, who are not satisfied with the Organization’s complaints procedure and / or remediation solution, are encouraged to pursue the matter further by contacting the Information and Privacy Commissioner.
  • Contact information for Medical Spa Club Privacy Officer:

Paul Pinkhasik, Privacy Officer at Medical Spa Club
6611 No. 2 Road, Richmond, BC, V7C 3L5

Telephone: 604-284-5501

  • Contact information for the Commissioner:

PO Box 9038  Stn. Prov. Govt.
Victoria, B.C. V8W 9A4
Telephone: 1-250-387-5629