At Pillar Mental Health Group, we value your privacy and are committed to protecting the privacy and confidentiality of your personal health information (PHI). This Privacy Policy explains how we collect, use, disclose, retain, secure, and manage such information in compliance with Ontario’s Personal Health Information Protection Act (PHIPA), and in alignment with the ethical and professional standards required by the College of Psychologists and Behaviour Analysts of Ontario.
1. Definitions
· Personal Health Information (PHI): “Personal Health Information” (PHI) is information about an identifiable individual. This information relates to the physical or mental health of the individual and includes, but is not limited to, individual’s physical or mental health, diagnoses, testing, treatment, family health history, Substitute Decision Makers, and/or care providers.
· Health Information Custodian (HIC): (HIC): As per Ontario’s Personal Health Information Protection Act (PHIPA), we are a health information custodian (HIC). Accordingly, we are responsible for maintaining, collecting, using, disclosing and safeguarding your PHI in accordance with PHIPA. We take this responsibility very seriously and our policy below discusses how we ensure compliance.
· Consent: Consent may be “express” (either written or verbal) or “implied.” We strive and prefer to obtain express consent. However, we may rely on implied consent, in some circumstances, as permitted by PHIPA.
2. What Information We Collect
We collect only the PHI necessary for our services. Types of information may include but are not limited to:
· Name, date of birth, contact information (address, phone, email), emergency contact.
· Demographic data (e.g. gender), as voluntarily provided.
· Presenting concerns, reason for referral, symptoms, mental‑health history, medical/psychological/ social history, family history, psychosocial context.
· Information about services provided: assessment data, self‑report measures, psychological test results, session dates, treatment plans, clinical notes, records of therapy/consultation/assessment, communications between client and therapist.
· Clinician preferences / booking information (which therapist, scheduling), payment/billing/insurance information, payment history, invoices, credit‑card / payment processing data (when applicable).
· Any other information you provide during the course of intake, assessment, treatment, follow-up or administrative interaction.
Where appropriate (with consent), we may collect information from third‑party sources (previous health‑care providers, agencies, family members, other professionals) as needed to support care, coordination, or assessment.
3. Purposes of Collection, Use, and Disclosure
We will only collect, use, or disclose PHI to the extent reasonably necessary for the purposes described, consistent with PHIPA and professional ethics.
We collect and use your information to:
· Provide psychological services (assessment, therapy, counselling, consultation, treatment).
· Evaluate your needs and develop treatment plans.
· Monitor treatment progress over time, including assessment, reassessment, and follow-up care.
· Provide professional psychological opinions (e.g., assessment reports), when requested or required, with consent.
· Billing, invoicing, payment processing, collecting unpaid fees.
· Communication with third-party payers (e.g. insurance companies, workplace insurance, third‑party funding bodies) when you consent or where authorized.
· Administrative tasks: scheduling, appointment reminders, contact, record‑keeping, file management.
· Internal operations: record audits, quality assurance, supervision (if supervised clinicians or associates are involved), practice management.
· If external consultants (e.g. accountants, IT, maintenance) must access PHI as part of their role, access will be limited and subject to privacy agreements.
· Communication about workshops, seminars, new services, only with your consent.
4. Consent & Disclosure
· We will obtain your consent (written or verbal) before collecting, using or disclosing your PHI, except where PHIPA or another law permits the collection/use/disclosure without consent.
· When sharing your PHI with third parties like insurance companies, employers, legal parties, etc., we will obtain your express consent prior to doing so.
· You may withdraw your consent at any time in writing. We will inform you of the implications of such withdrawal (e.g. that we may no longer be able to provide you certain services).
5. Limits of Confidentiality / Mandatory Disclosure
Please note that there are limits to confidentiality and in some circumstance, we may disclose without your consent, as permitted by PHIPA and professional ethics. These certain circumstances include, but are not limited to:
· If there is a risk of serious harm to yourself or others.
· If there are concerns about abuse or neglect of a child or a protected adult (e.g., in a long‑term care facility or retirement home), or if you report past abuse or neglect.
· If there is reason to report professional misconduct – for example, sexual abuse by another regulated healthcare professional.
· If required by law: court orders/subpoenas, orders under police powers (e.g. missing‑person requests), regulatory audits by the College.
· If your file is selected for audit or supervision (if you are seeing a clinician in supervised practice), subject to regulatory / ethical confidentiality obligations.
If we must disclose information under one of these exceptions, we will only disclose what is legally or ethically required and no more. Whenever possible, we will discuss the disclosure with you beforehand; where this isn’t possible (e.g. immediate risk), we act as necessary.
6. Retention and Secure Destruction of Records
· We will retain your PHI for as long as necessary to fulfill the purposes for which it was collected.
· As a guideline (unless otherwise required by law or by regulatory standards), client files will be retained for a minimum of ten (10) years after the last date of contact; for clients first seen under the age of 18, at least until ten (10) years after they turn 18.
· When records are no longer needed (or at the end of the retention period), we will ensure secure destruction: paper records shredded, electronic records deleted; if hardware is decommissioned, hard drives physically destroyed before disposal.
7. Right of Access and Correction
· You have the right to request access to the PHI we hold about you, request copies, and/or request corrections to factual inaccuracies.
· We may require identity verification before granting access. We may also charge a nominal fee to cover administrative costs; if we cannot grant access (e.g. due to legal exceptions), we will inform you in writing within a reasonable timeframe (e.g. within 30 days).
· If you request a correction and we agree there is a factual error, we will correct the record and notify any third‑party recipients to whom the erroneous information was disclosed. If we disagree, we will include a statement of your disagreement in your file and forward that statement to any relevant third parties.
8. Use of External Consultants, Contractors, and Agencies
From time to time, external service providers (e.g., accountants, IT consultants, maintenance/cleaning staff, payment processors, temporary administrative staff) may need limited access to PHI as part of their duties. We will restrict their access to only what is strictly necessary, and require they sign privacy agreements ensuring they comply with the same confidentiality and security obligations.
9. Use of Website, Public Inquiries, and Marketing Contacts
If you contact us via our website (e.g. general inquiry form), or if you are a member of the public requesting information (not yet a client), we may collect minimal PHI (e.g., name, contact information, presenting concern) for the purpose of responding to your inquiry or guiding you to appropriate services. We will only use this information for the purpose you provided it (e.g. to reply), unless you consent to further use (e.g. newsletters, service announcements).
Our website may use cookies or analytics tools (e.g., Google Analytics) to monitor website performance and improve user experience. These tools collect non-identifiable data only (e.g., pages visited, browser type). You may disable cookies in your browser settings.
10. Safeguards and Security
We have implemented a variety of administrative, technical, and physical safeguards to protect your PHI from unauthorized access, use, disclosure, loss, or destruction. Safeguards may include locked filing cabinets or secure storage for paper records; encryption, password protection, firewalls, antivirus software, secure servers for electronic records (Jane); access controls; staff training on privacy obligations; confidentiality agreements with contractors/consultants; and secure methods for transmitting or disposing of records.
11. Virtual Services
If services are provided by video or phone, we take steps to ensure confidentiality, including the use of secure platforms and encouraging clients to participate from a private location. As with all electronic communication, there is a small risk of technical failure or unauthorized access; we will discuss these limits and obtain your consent prior to providing virtual services.
Email is not a fully secure form of communication. While we take reasonable steps to protect your information, we encourage you to limit messages to scheduling and administrative matters. Clinical information should be discussed in session. By emailing us, you acknowledge these risks and consent to communication in this form.
12. Breach Protocol
If your PHI has been accessed, used, disclosed, or disposed of in an unauthorized manner, we will comply with PHIPA requirements in investigating and responding to the incident. Please note that if a privacy breach occurs and your PHI is unfortunately affected, we will notify you.
13. Privacy Officer / Contact Information
If you have any questions, wish to access or correct your information, withdraw consent, express concerns, or make a complaint about how your PHI is handled, please contact:
Privacy Officer
Kathleen Stewart
Pillar Mental Health Group
2300 Yonge St #1600, Toronto, ON M4P 1E4
(416) 568-4333
drstewart@pillarmentalhealthgroup.com
You also retain the right to file a complaint with the Information and Privacy Commissioner of Ontario.
14. Relationship to Professional Standards & Ethical Obligations
As regulated psychologists/practice in Ontario, we also adhere to the ethical and professional obligations set out by the College of Psychologists and Behaviour Analysts of Ontario including confidentiality, informed consent, respect for client autonomy, and secure handling of client records. This Privacy Policy complements and supports those obligations.
15. Changes to This Policy
We may update this Privacy Policy from time to time (e.g. because of changes in legislation or practice). Any changes will be posted on our website with a revised “last updated” date. Continued use of our services or the website after changes indicates acceptance of the updated policy.