Privacy Policy

Who we are

Our website address is: https://acupuncturebydrsabina.com. This privacy policy outlines how Dr. Sabina’s Acupuncture Clinic (“we,” “us,” or “our”) collects, uses, discloses, and protects your personal information and personal health information. We are committed to protecting your privacy in accordance with Canadian federal and Alberta provincial privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta’s Health Information Act (HIA), and the Personal Information Protection Act (PIPA). Dr. Sabina has been designated as our Privacy Officer and is responsible for our compliance with privacy legislation. You may contact our Privacy Officer regarding any privacy concerns or questions via email: [email protected]

Policy Version History – Current Version: 2.0 (July 31, 2025) – Previous versions available upon request – Material changes will be highlighted for 30 days after implementation – Archive of previous versions maintained for legal compliance

What Information We Collect

Personal Health Information

As a regulated healthcare provider in Alberta, we collect personal health information necessary for providing acupuncture and Traditional Chinese Medicine services, including:

• Medical history and current health conditions
• Treatment records and clinical observations
• Symptoms, diagnoses, and treatment plans
• Medication information and allergies
• Insurance and billing information
• Previous healthcare provider information

Personal Information

We also collect personal information including:

Website Information

When you visit our website, we may automatically collect:

How We Use Your Information

Healthcare Services

We use your personal health information to:

• Provide safe and effective acupuncture treatments
• Maintain accurate treatment records
• Communicate with you about your care
• Process insurance claims and billing
• Schedule appointments and send reminders
• Comply with professional regulatory requirements

Legal Authority

We collect and use health information under the authority of Alberta’s Health Information Act, specifically sections related to healthcare service provision. Comments. When visitors leave comments on our site, we collect the data shown in the comments form, the visitor’s IP address, and browser user agent string to help with spam detection.An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media. If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies and Tracking Technology

Cookie Consent

In accordance with PIPEDA requirements, we obtain meaningful consent before placing non-essential cookies on your device. Our website uses various types of cookies:

Essential Cookies

These cookies are necessary for basic website functionality and include:Security cookies for protecting against unauthorized access. Session cookies for maintaining your browsing session. Login cookies (last for two days)

Analytics Cookies

With your consent, we use analytics cookies to:

• Understand how visitors use our website
• Improve our website performance and content
• Analyze website traffic patterns

Cookie Management

If you leave a comment on our site, you may opt-in to saving your name, email address, and website in cookies for your convenience. These cookies will last for one year.You can manage your cookie preferences at any time through your browser settings or our cookie preference center. Most browsers allow you to refuse cookies or alert you when cookies are being sent.

Embedded Content from Other Websites

Articles on this site may include embedded content (e.g., videos, images, articles, etc.). Embedded content from other websites behaves exactly as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Consent

Healthcare Consent

We obtain your consent for the collection, use, and disclosure of your personal health information in accordance with Alberta’s Health Information Act and professional standards. This includes:

• Express consent for treatment and care
• Implied consent for routine healthcare communications
• Written consent for disclosure to third parties (except as permitted by law)

Website Consent

By using our website, you consent to our collection and use of information as described in this privacy policy. You may withdraw your consent at any time, subject to legal and professional obligations

Information Sharing and Disclosure

Healthcare Providers

We may share your health information with other healthcare providers involved in your care, including:

• Referring physicians or specialists
• Other healthcare professionals treating you
• Healthcare facilities providing continuing care

Third-Party Service Providers

We may share information with trusted third-party service providers who assist us in:

• Processing payments and insurance claims
• Appointment scheduling and reminders
• Website hosting and maintenance
• Professional services (legal, accounting)

All service providers are contractually obligated to protect your information and use it only for the specified purposes

Legal Requirements

We may disclose your information when required by law, including:

• Court orders or subpoenas
• Public health authorities
• Professional regulatory bodies
• Law enforcement agencies (when legally required)

Emergency Situations

We may disclose health information without consent to avert or minimize imminent danger to your health or safety or that of others

Data Retention

Health Records

In compliance with Alberta regulations and professional standards, we retain health records for a minimum of 10 years from the date of last entry, or if you were under 18 at the time of last entry, 10 years from when you turned 18.

Website Data

• Comment metadata is retained indefinitely to recognize and approve follow-up comments automatically
• User profile information can be viewed, edited, or deleted by users at any time
• Website administrators can also view and edit user information

Data Storage and Security

Security Measures

We implement appropriate physical, organizational, and technological safeguards to protect your information, including:

• Secure, locked storage for physical records
• Password protection and encryption for electronic data
• Regular security audits and updates
• Staff training on privacy and security practices
• Secure disposal of information when no longer needed

Canadian Storage

Personal information is stored in Canada in compliance with PIPA requirements. If any information is processed or stored outside Canada, we will notify you and obtain appropriate consent.

Privacy Breach Notification

Reporting Requirements

In accordance with PIPEDA and Alberta privacy laws, we will:

• Report any privacy breach that poses a real risk of significant harm to the Privacy Commissioner
• Notify affected individuals of such breaches as soon as feasible
• Maintain records of all breaches for at least two years

Risk Assessment

We assess each potential breach for risk of significant harm by considering:

• The sensitivity of the information involved
• The probability that the information will be misused
• The potential consequences to affected individuals

Your Privacy Rights

Under Canadian privacy legislation, you have the right to:

Access Rights

• Request access to your personal information in our custody or control
• Receive information about how your data is being used
• Request copies of your health records

Correction Rights

• Request correction of inaccurate or incomplete information
• Challenge the accuracy of your personal information

Consent Management

• Withdraw consent for non-essential uses of your information
• Receive information about the consequences of withdrawing consent
• Request that we not use or disclose your information for specific purposes

Complaint Rights

• File complaints about our privacy practices with our Privacy Officer
• Appeal to the Privacy Commissioner if unsatisfied with our response

International Data Transfers

If we transfer your information outside Canada, we will:

• Notify you of the transfer and destination country
• Obtain your consent where required
• Ensure appropriate safeguards are in place
• Provide you with information about foreign privacy laws that may apply

Third-Party Links

Our website may contain links to third-party websites. This privacy policy applies only to our website and services. We are not responsible for the privacy practices of other websites and encourage you to review their privacy policies.

Privacy Policy Updates

We may update this privacy policy periodically to reflect changes in our practices or legal requirements. We will post updates on our website and notify you of significant changes. Your continued use of our services after updates constitutes acceptance of the revised policy.

You can contact our privacy officer with the contact information listed above.

If you are not satisfied with our response to your privacy concern, you may contact:

Office of the Information and Privacy Commissioner of Alberta

• Phone: 1-888-878-4044
• Website: https://www.oipc.ab.ca

Office of the Privacy Commissioner of Canada

• Phone: 1-800-282-1376
• Website: https://www.priv.gc.ca

Compliance Note: This privacy policy has been designed to meet the requirements of PIPEDA, Alberta’s Health Information Act (HIA), Personal Information Protection Act (PIPA), and professional standards for acupuncturists in Alberta. It should be reviewed regularly and updated as needed to maintain compliance with evolving privacy laws and regulations.

Privacy Impact Assessment (PIA)

As required under Section 64 of Alberta’s Health Information Act, we maintain a current Privacy Impact Assessment that has been submitted to and reviewed by the Office of the Information and Privacy Commissioner of Alberta (OIPC) before implementing any new administrative practices or information systems that collect, use, or disclose health information.

Access Monitoring and Audit Trails We maintain comprehensive audit logs of all access to your health information, including: – User identification and authentication details – Date and time of access – Actions performed (creating, viewing, editing, deleting) – Personal health number and patient name accessed – Display screen references – Facility location of access These audit logs are regularly reviewed to detect unauthorized access and ensure compliance with privacy requirements.

Staff Training and Confidentiality All staff members, contractors, and affiliates receive mandatory privacy training including: – Initial orientation on Health Information Act requirements – Ongoing annual privacy and security updates – Training on breach identification and response procedures – Signed confidentiality agreements and oaths of confidentiality Training records are maintained and regularly updated to ensure continued compliance.

Risk Assessment for Breaches We assess each potential breach using specific criteria: – Sensitivity of the information involved (health information is considered highly sensitive) – Probability that the information will be misused or cause harm – Potential consequences to affected individuals including identity theft, financial harm, or emotional distress – Number of individuals affected – Ability to mitigate or reduce harm

Collection Notice Before collecting your health information, we provide notice including: – The specific purposes for which your health information is being collected – The legal authority for collection under the Health Information Act – Contact information for our designated Privacy Officer who can answer questions about the collection This notice is provided through posted signage, written materials, and/or our website to ensure you have adequate opportunity to review before information collection.

Express Wishes Regarding Information Disclosure Under the Health Information Act, you have the right to express wishes regarding the disclosure of your health information. We will consider and document your expressed wishes before disclosing your information, even when disclosure is otherwise permitted by law. You may discuss your preferences with our Privacy Officer.

Types of Healthcare Consent We obtain different types of consent based on the use of your information: – Implied consent for routine healthcare communications and care coordination – Express written consent for disclosure to third parties not involved in your care – Specific consent for marketing communications or non-essential uses – Research participation consent when applicable You may withdraw consent at any time, subject to professional and legal obligations.

Detailed Retention Schedule – Patient health records: 10 years from last entry (or 10 years after age 18 if patient was a minor) – Consent forms: Duration of retention period plus 1 year – Breach incident records: Minimum 2 years from date breach was determined – Access audit logs: Minimum 2 years or as required by regulation – Staff training records: Duration of employment plus 6 years

International Data Transfers Health information is stored and processed within Canada in compliance with Alberta privacy laws. Any processing or storage outside Canada requires: – Specific notification to you about the destination country – Your express consent for the transfer – Appropriate safeguards to protect your information – Information about foreign privacy laws that may apply

Professional Regulatory Compliance As a regulated healthcare provider in Alberta, we comply with: – College of Acupuncturists of Alberta standards and requirements – Professional codes of conduct regarding patient confidentiality – Regulatory reporting requirements for privacy incidents – Professional liability and insurance obligations Our privacy practices align with both legal requirements and professional standards.

Privacy Breach Notification Enhancement In accordance with PIPEDA and Alberta privacy laws, we will: – Report any privacy breach that poses a real risk of significant harm to the Privacy Commissioner within 72 hours – Notify affected individuals of such breaches as soon as feasible – Maintain detailed records of all breaches for at least two years – Conduct thorough risk assessments considering the sensitivity of information, probability of misuse, and potential consequences to affected individuals

Social Media and Content Sharing Privacy When our content is shared on social media platforms or when you interact with our social media accounts: – Third-party platform privacy policies apply to information shared on those platforms – We maintain professional communication standards as required by our regulatory college – Any testimonials or reviews shared publicly follow provincial healthcare advertising restrictions – Cross-platform data sharing is limited to what is necessary for legitimate business purposes and complies with applicable consent requirements

Minors and Mature Minor Consent For patients under 18 years of age in Alberta: – Minors (under 16): Parental/guardian consent required for treatment and health information collection – Mature minors (typically 16-17, assessed individually): May provide their own consent for treatment and control access to their health information – Privacy rights of mature minors are protected – parents/guardians cannot access their health information without the mature minor’s consent – We assess maturity on a case-by-case basis considering the complexity of treatment and individual circumstances – Confidentiality obligations to mature minors are maintained in accordance with Alberta’s Health Information Act sections 104 and Personal Information Protection Act section 61

Email Marketing Compliance (CASL) Our email communications comply with Canada’s Anti-Spam Legislation (CASL): – Express consent: Obtained through clear opt-in mechanisms for newsletter subscriptions – Implied consent: Applied for existing patients based on our healthcare relationship (valid for 2 years) – All emails include clear sender identification, truthful subject lines, and easy unsubscribe mechanisms – Unsubscribe requests are processed within 10 business days – Appointment reminders and treatment-related communications are considered transactional (not subject to CASL consent requirements) – We maintain detailed records of all consent obtained for email communications

International Visitors and GDPR Compliance For visitors from the European Union or European Economic Area: – We comply with GDPR requirements when processing personal data of EU residents – Legal basis for processing health data: Article 9(2)(h) – healthcare purposes – EU residents have additional rights including data portability and enhanced consent withdrawal – Data transfers outside the EU are conducted with appropriate safeguards – EU residents may contact our Privacy Officer for GDPR-specific requests – Data retention periods align with both Canadian and GDPR requirements – We maintain records of processing activities as required by GDPR Article 30

Third-Party Data Processing Accountability We ensure all third-party service providers handling your personal information maintain equivalent privacy protections: – Written data processing agreements with all vendors – Regular verification of third-party privacy and security controls – Notification requirements for third-party breaches affecting your information – Contractual obligations for third parties to delete data upon service termination – Due diligence assessments before engaging new service providers – Third-party processors cannot use your data for their own purposesDetailed Privacy Rights Under Canadian and international privacy laws, you have the right to: Access Rights: – Request copies of all personal information we hold about you – Receive information in a structured, commonly used format – Understand the source of your information if not collected directly from you Correction and Deletion Rights: – Correct inaccurate or incomplete personal information – Request deletion of personal information (subject to legal retention requirements) – Restrict processing of your information in certain circumstances Consent Management Rights: – Withdraw consent for specific uses of your information – Object to processing based on legitimate interests – Opt-out of direct marketing communications Portability Rights (for EU residents): – Receive personal data in a machine-readable format – Transmit data to another healthcare provider where technically feasible We will respond to privacy rights requests within 30 days and provide reasons if we cannot fulfill a request.

Automated Processing and Profiling We do not use automated decision-making or profiling that would significantly affect your healthcare or legal rights. Any automated systems we use (such as appointment scheduling or reminder systems) involve human oversight and do not make medical decisions without practitioner involvement.

Cross-Border Data Transfer Protections When personal information is transferred outside Canada: – We ensure recipient countries provide adequate protection levels – Standard contractual clauses are used where adequate protection is not available – We conduct transfer impact assessments for high-risk transfers – You will be notified of the specific countries and safeguards in place – Additional consent may be required for transfers to countries without adequate protection – Emergency transfers may occur only to protect vital interests++++++

Privacy Request Response Times We will respond to privacy-related inquiries and requests within: – General privacy questions: 5 business days – Access to personal information requests: 30 days – Correction requests: 30 days – Consent withdrawal requests: Immediately upon verification – Privacy complaints: 30 days with status updates If we cannot meet these timeframes, we will notify you of the delay and expected resolution date.

Third-Party Analytics Services Our website analytics may involve third-party services including: – Google Analytics (with IP anonymization enabled) – WordPress.com analytics (if applicable) – Social media pixels from Facebook, Instagram, LinkedIn (if applicable) You can opt out of these services through: – Browser cookie settings – Google Analytics Opt-out Browser Add-on – Our cookie preference center (if implemented)

After-Hours Privacy Emergencies For urgent privacy matters outside business hours (suspected breaches, unauthorized access): – Email: [email protected] – We will respond to privacy emergencies within 24 hours.

Privacy Policy Accessibility This privacy policy is available in multiple formats to ensure accessibility: – Large print version available upon request – Screen reader compatible formatting – Available in alternative languages upon request (subject to availability) – Audio version available for visually impaired individuals Contact our Privacy Officer to request alternative formats.