Privacy & Compliance

TrueCare is a U.S.-based digital health company providing virtual family medicine services to patients in Canada.

TrueCare works with U.S.-based physicians who are licensed, registered, or otherwise authorized to provide care in the applicable Canadian province or territory where the patient is located.

In this Policy, “TrueCare,” “we,” “us,” and “our” means:

Because of our operating model, your information may be handled under multiple privacy and health privacy frameworks, including:

• Canadian federal privacy law, including PIPEDA
• Applicable provincial health privacy laws, including Ontario’s PHIPA and Alberta’s HIA where applicable
• U.S. health privacy law, including HIPAA, for our U.S. operations and U.S.-based physicians
• Other applicable provincial, territorial, state, professional, or regulatory requirements

Where more than one privacy law applies, TrueCare aims to follow the requirement that provides appropriate protection for your information.

TrueCare has designated a Privacy Officer responsible for privacy oversight, patient privacy requests, privacy complaints, breach response, vendor privacy review, and compliance monitoring.

Mailing Address

This Policy applies to information collected through:

• The TrueCare website
• The TrueCare patient portal
• Patient registration and waitlist forms
• Virtual consultations
• Secure messages, emails, texts, phone calls, and support requests
• Billing, payment, and administrative workflows
• Physician notes, clinical documentation, and medical records
• Interactions with our care team, support team, contractors, vendors, and authorized representatives

This Policy applies to patients, prospective patients, website visitors, authorized caregivers, substitute decision-makers, parents or guardians where applicable, and other individuals who interact with TrueCare.

We collect only the information we reasonably need to provide care, operate our services, meet legal obligations, protect patients, and maintain secure systems.

We use personal information and personal health information for purposes that a reasonable person would consider appropriate in the context of virtual health care.

We may use your information to:

• Register you as a patient or prospective patient
• Determine whether TrueCare services are available in your province or territory
• Schedule and manage appointments
• Verify your identity
• Provide virtual consultations and clinical care
• Maintain medical records
• Coordinate care with physicians and other providers
• Respond to your questions and support requests
• Process payments and billing
• Send service-related messages, appointment reminders, and portal notifications
• Obtain and manage consent
• Operate, secure, audit, and improve our systems
• Train workforce members on privacy, security, and service quality using appropriate safeguards
• Detect, investigate, and prevent privacy or security incidents
• Comply with legal, regulatory, professional, licensing, and reporting obligations
• Respond to patient access, correction, amendment, or complaint requests

We may also use de-identified or aggregated information that does not reasonably identify you for analytics, reporting, quality improvement, service planning, and compliance review.

Because health information is sensitive, we use clear consent and authorization processes.

We may ask for your express consent or written authorization when required, including for:

• Collecting health information through intake forms
• Providing virtual care
• Recording a consultation
• Sharing information outside the care team or “circle of care” where consent is required
• Using information for marketing
• Using or disclosing information for purposes not related to treatment, payment, health care operations, administration, or legal compliance

In some care-related situations, applicable law may allow implied consent or permitted use and disclosure without new consent, such as sharing information with another provider involved in your care.

You may withdraw consent or revoke an authorization, subject to legal, clinical, regulatory, and recordkeeping obligations. Withdrawal does not affect actions we already took based on your previous consent or authorization.

To withdraw consent or ask questions about consent, contact:

We may share information only as permitted or required by law, with appropriate safeguards, and only for legitimate purposes.

TrueCare's goal is to use Canadian-region hosting for patient information where practical and appropriate.

However, TrueCare is a U.S.-based company, and our physicians, workforce members, contractors, or support personnel may access information from the United States or other approved locations when needed to provide care, operate services, support systems, or meet legal obligations.

This means your personal information and personal health information may be accessed, processed, or handled from outside Canada, including from the United States.

When information is accessed or processed outside Canada, it may be subject to the laws of that jurisdiction, including lawful access by courts, law enforcement, national security authorities, regulators, or professional oversight bodies.

TrueCare uses contractual, administrative, technical, and physical safeguards designed to protect information involved in cross-border processing. These may include:

• Vendor due diligence
• Written agreements
• Business Associate Agreements where required by HIPAA
• Privacy impact assessments where required
• Access controls
• Multi-factor authentication
• Encryption in transit and at rest
• Audit logging
• Breach notification obligations
• Secure deletion requirements
• Workforce confidentiality and privacy training

For patients in provinces with additional cross-border requirements, TrueCare will take steps designed to comply with applicable provincial rules before transferring, accessing, or processing information outside that province where required.

We use safeguards appropriate to the sensitivity of health information.

• Secure patient portal access
• Approved encrypted telehealth platforms
• Encryption in transit and at rest
• Multi-factor authentication
• Role-based access controls
• Audit logs
• Secure cloud environments
• Workforce privacy and security training
• Confidentiality obligations
• Vendor privacy and security review
• Privacy impact assessments where required
• Incident response procedures
• Secure disposal and certified deletion where appropriate

No system can be guaranteed to be completely secure, but we work to protect your information using safeguards designed for sensitive health information.

We keep personal information and personal health information only as long as necessary for:

• Providing care
• Maintaining medical records
• Legal and professional obligations
• Billing and accounting
• Audits and compliance
• Privacy, security, and dispute resolution
• Regulatory requirements

Clinical records may need to be kept for several years depending on the applicable province, professional rules, and legal requirements. HIPAA-related documentation may also need to be retained according to U.S. requirements.

When information is no longer required, we securely destroy, delete, de-identify, or archive it in accordance with our retention schedule and applicable law.

Depending on your location and the laws that apply, you may have rights to:

• Access your personal information or personal health information
• Request a copy of your health record
• Request correction or amendment of inaccurate or incomplete information
• Withdraw consent or revoke authorization, subject to legal limits
• Request restrictions on certain uses or disclosures
• Request confidential communications
• Receive an accounting of certain disclosures where required by law
• Ask questions about our privacy practices
• File a privacy complaint without retaliation
• Opt out of marketing communications
• Request deletion or de-identification of certain non-clinical information where legally available

We may need to verify your identity before processing a request.

TrueCare generally aims to acknowledge access and correction requests within 5 business days and respond within 30 days unless a different timeline is required or permitted by law.

To make a request, contact:

Mailing Address

For information subject to HIPAA, TrueCare follows HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule.

Under HIPAA, TrueCare may use or disclose protected health information for treatment, payment, and health care operations, as well as other purposes permitted or required by law.

For Ontario patients and Ontario-related services, TrueCare follows Ontario's Personal Health Information Protection Act where applicable.

For Ontario personal health information, TrueCare aims to:

• Collect, use, and disclose personal health information only with consent or as otherwise permitted or required by PHIPA
• Use implied consent only where permitted, such as within the circle of care
• Obtain express consent for recordings, marketing, or non-routine disclosures where required
• Make our information practices available to patients
• Protect personal health information with reasonable safeguards
• Respond to access and correction requests within applicable timelines
• Notify affected individuals and the Information and Privacy Commissioner of Ontario where required

For Alberta patients and Alberta-related services, TrueCare follows Alberta's Health Information Act where applicable.

For Alberta health information, TrueCare aims to:

• Collect, use, and disclose health information only as authorized by the HIA
• Obtain consent where required
• Collect only the health information reasonably necessary for care or permitted purposes
• Protect health information with reasonable administrative, technical, and physical safeguards
• Complete privacy impact assessments where required
• Respond to access and correction requests as required
• Notify affected individuals, the Alberta Information and Privacy Commissioner, and the Minister of Health where required following certain breaches

If we discover a privacy or security incident involving personal information or personal health information, we will:

1. 01

   Contain

   Stop the incident from continuing or expanding.

2. 02

   Investigate

   Determine what happened, when, and what was involved.

3. 03

   Assess the risk of harm

   Evaluate the potential impact on affected individuals.

4. 04

   Notify where required

   Inform affected individuals and regulators as required by law.

5. 05

   Document

   Record the incident, response, and lessons learned.

6. 06

   Reduce the risk of recurrence

   Update safeguards, processes, training, or vendors.

Depending on the circumstances and applicable law, reports may be made to Canadian privacy regulators, provincial health privacy regulators, the U.S. Department of Health and Human Services Office for Civil Rights, professional colleges, or other authorities.

TrueCare maintains internal breach response procedures and requires workforce members, physicians, contractors, and vendors to report suspected privacy or security incidents promptly.

We may use cookies and similar technologies to:

• Keep the website functioning
• Remember preferences
• Improve performance
• Understand traffic patterns
• Secure our website and portal
• Prevent fraud or abuse

You can adjust cookie settings in your browser. Some website or portal features may not work properly if cookies are disabled.

We do not use cookies to sell personal health information.

We may send service-related communications, such as:

• Appointment reminders
• Portal notifications
• Registration updates
• Billing notices
• Security alerts
• Administrative messages

Email and text messages may not be fully secure. For sensitive health information, we encourage you to use the secure patient portal whenever possible.

You may opt out of non-essential marketing communications, but we may still send service, care, safety, legal, or administrative messages.

TrueCare may provide care to minors where permitted by law and professional requirements.

A parent, guardian, substitute decision-maker, or authorized representative may exercise privacy rights on behalf of a patient where legally permitted.

Depending on the province or territory, a minor who is capable of making certain health decisions may have independent privacy rights. We will handle minor patient information according to applicable law, clinical obligations, and professional standards.

Our website or portal may link to third-party websites or services. We are not responsible for the privacy practices of third parties that we do not control. Please review their privacy policies before providing information to them.

We may update this Policy from time to time to reflect changes in our services, laws, technology, or privacy practices.

When we make material changes, we will update the “Last Updated” date and provide notice where required.

For questions, access requests, correction requests, consent withdrawal, complaints, or privacy concerns, contact:

Mailing Address

You may also have the right to contact a privacy regulator, including:

• The Office of the Privacy Commissioner of Canada
• The Information and Privacy Commissioner of Ontario, for Ontario PHIPA matters
• The Office of the Information and Privacy Commissioner of Alberta, for Alberta HIA matters
• Your applicable provincial or territorial privacy regulator
• The U.S. Department of Health and Human Services Office for Civil Rights, for HIPAA matters

TrueCare will not retaliate against you for filing a privacy complaint.