DRAFT — DO NOT PUBLISH. Certification claims on this page are unverified placeholders. Niral V. Merchant must confirm in writing that BridgeMed Health has achieved the named certifications before this page is published to a production domain. — Veydros Consulting
Personal Information Protection and Electronic Documents Act (Canada)
BridgeMed Health complies with PIPEDA [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED] — Canada’s federal private-sector privacy law — governing the collection, use, and disclosure of personal information in the course of commercial activities.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal statute that sets the ground rules for how private-sector organizations across Canada collect, use, and disclose personal information in the course of commercial activities. It applies to BridgeMed Health’s plan administrator relationships, our contracts with insurers, and our interactions with case managers and third-party administrators wherever those engagements involve personal information that is not exclusively governed by a more specific provincial statute.
In Ontario, the more specific statute for personal health information is PHIPA, which is described in detail on a separate page in this Trust Centre. PIPEDA continues to govern any of our commercial activities that involve personal information falling outside the PHIPA scope — for example, contractual communications with an insurance company, marketing material distribution, or employee personal information held in our internal systems.
The act is anchored on ten fair information principles drawn from the CSA Model Code for the Protection of Personal Information. Each principle imposes specific obligations on organizations and grants specific rights to individuals. The summary below maps each principle to how BridgeMed Health operationalises it.
Each principle is summarised in plain language alongside the operational practice BridgeMed Health follows to honour it. Where the principle is also covered by PHIPA or HIPAA, we note the cross-reference.
An organization is responsible for personal information under its control and must designate an individual to be accountable for compliance. BridgeMed Health has a designated privacy officer with named contact details on every relevant page in this Trust Centre. [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED]
The purposes for which personal information is collected must be identified at or before collection. Plan members are told why their information is collected at every intake point, and purpose statements are documented in our consent materials.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except in defined exceptional circumstances. We obtain meaningful consent prior to collection and document it.
The collection of personal information is limited to what is necessary for the identified purposes. Only information necessary for care delivery is collected; we do not gather identifying data “just in case.”
Personal information must not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law, and must be retained only as long as necessary.
Personal information must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Plan members may request correction of inaccurate or incomplete records.
Personal information must be protected by security safeguards appropriate to the sensitivity of the information. See Platform Security for the technical controls inventory.
An organization must make readily available specific information about its policies and practices relating to the management of personal information. This Trust Centre is part of that obligation.
Upon request, an individual must be informed of the existence, use, and disclosure of personal information about them and be given access to it. Access requests are honoured within the timelines set by PIPEDA.
An individual must be able to challenge an organization’s compliance with these principles. Complaints can be directed to BridgeMed Health’s privacy officer or escalated to the Office of the Privacy Commissioner of Canada.
Most privacy questions can be resolved by writing to our privacy officer at info@veydros.com. We acknowledge receipt of written complaints within five business days and respond substantively within thirty days, except where the complaint requires extended investigation, in which case we will notify you of the expected timeline.
Where a complaint is not resolved to your satisfaction, you have the right to escalate to the Office of the Privacy Commissioner of Canada at priv.gc.ca. Ontario plan members may also be entitled to file a complaint with the Information and Privacy Commissioner of Ontario under PHIPA.
