Privacy Policy for Rehab Mechanics

Effective Date: June 5, 2026

Last Updated: June 5, 2026

Website: www.rehabmechanics.com

1. Introduction, Scope, and Our Dual Mandate

Rehab Mechanics ("we," "us," or "our") is a comprehensive, multidisciplinary rehabilitation and physiotherapy practice based in rural Ontario, Canada. We are dedicated to providing localized, high-quality, evidence-based healthcare services to our community while maintaining the absolute highest standards of professional privacy, ethical confidentiality, and data segregation.

This Privacy Policy is an authoritative, legally binding declaration designed to inform you, with total transparency, of our robust, systemic practices regarding the collection, use, disclosure, and protection of your "Personal Information" and "Personal Health Information."

The Dual Mandate and the "Airwall" Philosophy

We operate under a unique dual mandate. First, we provide hands-on and virtual medical care to specific, identifiable patients. Second, we operate a globally accessible digital platform (www.rehabmechanics.com) that publishes free, educational health content subsidized by programmatic advertising.

Because we operate at this complex intersection of highly regulated medical care and commercial digital publishing, we recognize that our data architecture must be unassailable. We operate under a strict "Airwall" philosophy: the technological infrastructure that handles your sensitive medical data is structurally, systematically, and completely isolated from the web architecture that serves our public blog and its associated advertising networks. There is zero crossover.

Jurisdictional Application

This policy applies universally to all visitors of our website, current and former patients, substitute decision-makers, guardians, legal representatives, and any individuals whose information we may process in the course of our clinical, administrative, or commercial operations. By interacting with our digital interfaces, subscribing to our publications, or retaining our healthcare services, you acknowledge that you have read, understood, and agreed to the operational mechanics of this policy.

Our practices are strictly governed by two distinct, yet complementary, legislative frameworks:

  1. The Personal Information Protection and Electronic Documents Act (PIPEDA): The federal Canadian statute governing our commercial website activities, digital advertising, newsletter distribution, and general non-medical data handling.

  2. The Personal Health Information Protection Act, 2004 (PHIPA): The provincial Ontario statute governing our paramount, overriding fiduciary duty to protect all patient health-related data, clinical charting, and therapeutic records.

2. Statutory Definitions (PIPEDA & PHIPA)

To ensure operational clarity, eliminate legal ambiguity, and guarantee strict regulatory compliance, the following defined terms are utilized throughout this policy. They are derived directly from the statutory texts of PIPEDA, PHIPA, and the Substitute Decisions Act, specifically tailored to the operational reality of our clinic:

  • Personal Information (PIPEDA): Information about an identifiable individual. This includes any data where there is a "serious possibility" that an individual could be identified, either through the data alone or in combination with other reasonably accessible records (e.g., an IP address cross-referenced with a newsletter subscription).

  • Personal Health Information / PHI (PHIPA): Identifying information about an individual in oral or recorded form, if the information relates to the physical or mental health of the individual, the providing of health care to the individual, or is collected in the course of providing health services. This includes clinical notes, intake forms, and payment history related to medical care.

  • Health Information Custodian / HIC (PHIPA): A person or organization that has custody or control of personal health information as a result of or in connection with performing their professional duties. As the operator of this private practice, Rehab Mechanics (and its principal physiotherapist) is legally considered the HIC and bears ultimate, non-transferable accountability for managing and protecting the entire record-keeping system.

  • Agent (PHIPA): A person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information. Physiotherapists, kinesiologists, massage therapists, locums, administrative staff, and IT contractors working within Rehab Mechanics act as "Agents" of the Custodian.

  • Substitute Decision-Maker (SDM): A person authorized under the Health Care Consent Act, 1996 to consent on behalf of an individual to the collection, use, or disclosure of personal health information (e.g., a parent of a young child, or a legally designated attorney for personal care).

  • De-identify (PHIPA): To comprehensively remove any information that identifies the individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual. To achieve a statistical threshold of anonymity (often referred to mathematically as $k$-anonymity), we strip names, exact dates of birth, and unique geographic identifiers before analyzing general clinic recovery statistics.

  • Breach of Security Safeguards (PIPEDA/PHIPA): The loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of our security safeguards or from a failure to establish those safeguards.

  • Record: A record of information in any form or in any medium, whether in written, printed, photographic, or electronic form, including correspondence, clinical charts, anatomical diagrams, diagnostic films, and digital audit logs.

3. Comprehensive Categories of Information We Collect

To fulfill our clinical mandate and safely navigate the complexities of modern musculoskeletal rehabilitation, we must collect varying, highly specific classifications of data. We strictly categorize this data to ensure differing, appropriate levels of security are applied:

A. Core Identity and Socio-Demographic Information

  • Identity Data: Your full legal name, preferred name/aliases (for inclusive communication), date of birth, and gender identity.

  • Contact Details: Home address, billing address, primary and secondary telephone numbers, and personal email addresses.

  • Emergency Infrastructure: Names, relationships, and contact details of next-of-kin or designated emergency contacts.

  • Socio-Demographic & Occupational Data: Information regarding your current employment, occupational physical demands (e.g., heavy lifting, prolonged sitting), hobbies, and lifestyle factors. This is not collected for marketing; it is critical clinical data required to understand the biomechanical stresses placed on your body and to design a relevant, functional rehabilitation program.

B. Sensitive Personal Health Information (PHI)

This is the most highly protected class of data we hold. It includes, but is not limited to:

  • Historical and Current Medical Data: Comprehensive medical history, surgical history, family medical history (where relevant to genetic musculoskeletal conditions), lists of current medications and supplements, and detailed subjective descriptions of your current physical complaints.

  • Clinical Assessments and Objective Metrics: Range of motion measurements, neurological reflex testing, pain scale ratings, functional capacity evaluations, ergonomic assessments, and gait analysis data.

  • Third-Party Medical Records: Physician referral reports, surgical operative notes, diagnostic imaging results (X-rays, MRIs, CT scans, Ultrasounds), and specialized laboratory results.

  • Treatment Protocols and Progression: Customized treatment plans, detailed clinical session notes (SOAP notes: Subjective, Objective, Assessment, Plan), exercise prescriptions, modalities used (e.g., shockwave, acupuncture), and documented physiological responses to therapy.

  • Tele-Rehabilitation and Digital Biomarkers: If you participate in virtual care or use our prescribed digital exercise application, we collect video transmission logs, asynchronous messaging regarding your pain levels, and adherence data (e.g., how often you log in to view your home exercise program).

C. Financial, Insurance, and Fiduciary Administration Data

To facilitate seamless access to care, prevent disruptions in your treatment schedule, and manage complex third-party billing, we process:

  • Private Insurance: Extended healthcare insurance details, policy numbers, member IDs, and primary policyholder information.

  • Provincial Boards and Auto Claims: Workplace Safety and Insurance Board (WSIB) claim numbers, adjudication status, date of injury, mechanism of injury, and Motor Vehicle Accident (MVA) insurance claim details (including adjustor contact information and OCF claim forms processed through the provincial Health Claims for Auto Insurance or HCAI system).

  • Payment Processing: Credit card tokens. Note: We utilize a Payment Card Industry Data Security Standard (PCI-DSS) compliant third-party processor. We do not store full credit card numbers or CVV codes on our local servers; they are cryptographically tokenized. We also retain banking details for refunds and historical invoice ledgers for tax compliance.

D. Technical, Navigational, and Website Usage Data

When you visit our public-facing website (www.rehabmechanics.com) to read our blog, engage with our digital content, or view our team bios, we automatically collect non-medical technical data:

  • Device Metrics: Your Internet Protocol (IP) address, browser type and version, time zone setting, browser plug-in types, operating system, and hardware platform.

  • Clickstream and Behavioral Data: The Uniform Resource Locators (URLs) you used to navigate to, through, and from our website; the specific articles you viewed or searched for; page response times; download errors; length of visits to certain pages; and page interaction information (such as scrolling, clicks, mouse-overs, and heat-map data).

4. The Patient Lifecycle and Specific Methods of Collection

Data is not collected indiscriminately. It is gathered logically and systematically at specific touchpoints throughout your lifecycle with Rehab Mechanics:

Phase 1: Pre-Screening, Waitlist, and Intake

The moment you contact us via telephone or our secure digital inquiry portal, we begin collecting demographic and preliminary health data to determine if our services are clinically appropriate for your condition. If our clinic is at capacity, your data is placed on a secure waitlist. Prior to your initial assessment, you will be required to complete comprehensive, secure digital intake forms. This asynchronous collection ensures maximum face-to-face time with your therapist during your actual appointment.

Phase 2: The Clinical Assessment and Ongoing Treatment

The vast majority of your PHI is generated during one-on-one sessions with your physiotherapist. This includes verbal disclosures you make during the appointment (which are subjectively charted), physical observations and biomechanical tests performed by the therapist (which are objectively charted), and the subsequent analytical synthesis required by the College of Physiotherapists of Ontario.

Phase 3: Virtual Care (Tele-Rehabilitation)

During a video telehealth session, data is collected in real-time. While we do not routinely record the video or audio of these sessions, the clinical observations made during the video call are documented in your chart exactly as they would be during an in-person visit. We utilize end-to-end encrypted, PHIPA-compliant telehealth platforms to facilitate these appointments.

Phase 4: Ongoing Digital Communication and Alumni Phase

We collect data when you email our administrative staff regarding scheduling, when you use our secure patient portal to download an invoice, or when you opt-in to our educational newsletter post-discharge.

Phase 5: Third-Party Integrations and Referrals

With your explicit or legally implied consent, we actively pull data from external sources. This includes requesting your imaging reports from local hospitals, consulting with orthopedic surgeons, collaborating with your massage therapist, or corresponding with your legal representative (in the case of personal injury or tort claims).

5. Justified Purposes for Collection and Processing

Rehab Mechanics collects and uses your information exclusively for specific, legally justified, and professionally mandated purposes:

1. Clinical Efficacy and Continuity of Care

  • To accurately assess, diagnose, and treat your musculoskeletal, neurological, and cardiopulmonary conditions.

  • To design, monitor, and dynamically adjust customized rehabilitation programs that ensure optimal physiological recovery.

  • To communicate effectively within your "circle of care" to ensure coordinated, holistic treatment.

2. Administrative, Legal, and Fiduciary Operations

  • To manage appointment scheduling, optimize clinic workflows, and triage urgent cases.

  • To process payments securely, issue Canada Revenue Agency (CRA) compliant tax receipts, and submit complex direct billing claims to third-party payors (e.g., Sun Life, Manulife, WSIB, HCAI).

  • To perform internal audits, quality assurance checks, and retrospective business analytics (using de-identified aggregate data) to improve the standard of care, staff allocation, and clinic efficiency.

  • To defend the clinic against potential legal claims or to respond to regulatory audits initiated by the College of Physiotherapists of Ontario.

3. Digital Education and Website Monetization (Programmatic Advertising)

  • To deliver our free email newsletter containing exercises, health tips, and clinic updates (strictly subject to your explicit opt-in consent under CASL).

  • To serve relevant, programmatic advertisements via third-party networks (like Google AdSense) on our non-medical blog pages. This commercial activity generates the vital revenue required to subsidize the ongoing creation of free, high-quality health content. The data processed for this purpose is entirely restricted to Technical and Usage Data (Section 3D) and absolutely never intersects with PHI.

6. The Principle of Consent, Capacity, and the "Lock-Box"

We recognize that your personal and health information belongs fundamentally to you. We are merely the custodians of the record. We process this data based on your informed consent, governed by the stringent rules of the Health Care Consent Act, 1996 and PHIPA.

Express vs. Implied Consent within the "Circle of Care"

  • Express Consent: We will seek your express consent—either via a signed physical document, a digitally authenticated signature, or a specifically documented verbal agreement—before collecting highly sensitive PHI from third parties, before initiating a radically new physical treatment modality, or before disclosing your data to an entity outside your direct healthcare team (e.g., to your employer or a lawyer).

  • Implied Consent: Under PHIPA, when you actively seek healthcare from us, your consent to allow us to collect, use, and disclose your PHI to other healthcare practitioners who are actively involved in your direct care (the "circle of care") is generally implied. This allows us to swiftly update your family doctor or consult a specialist without demanding a new signature for every single fax.

Capacity and Substitute Decision-Makers (SDMs)

Consent is only valid if the patient is deemed "capable." Capacity is not strictly tied to age; it is defined by the patient's ability to understand the information relevant to deciding whether to consent, and to appreciate the reasonably foreseeable consequences of a decision or lack of decision.

  • If a patient (such as a young minor, or an adult suffering from severe cognitive impairment) is deemed incapable of making decisions regarding their health information, we will obtain consent from their legally authorized Substitute Decision-Maker (SDM).

  • The SDM must be authorized under Ontario law (e.g., a custodial parent, a legally appointed guardian of the person, or an attorney for personal care) and must make decisions based on the patient's prior capable wishes or, lacking those, their best interests.

The "Lock-Box" Provision: Your Right to Restrict Sharing

Under PHIPA, you have the explicit right to restrict, withdraw, or condition your consent regarding the sharing of your PHI among your healthcare providers. This is commonly referred to in Ontario as the "Lock-Box" provision.

  • Invocation: You may instruct us not to share a specific portion of your chart (or your entire chart) with another specific provider (e.g., "Do not send my mental health screening results to my family doctor").

  • Implementation: Once invoked, we implement strict administrative and technological barriers within our Electronic Medical Record (EMR) system to ensure that specific data is partitioned and withheld from standard circle-of-care communications.

  • The "Risk of Harm" Exception: We are legally bound to comply with your Lock-Box directive. However, if our physiotherapist genuinely believes that withholding this information from another provider poses a significant risk of serious bodily harm to you or another person, or if withholding the information means the receiving provider cannot safely treat you, we are legally mandated to inform the receiving provider that certain information has been deliberately withheld from the record.

Total Withdrawal of Consent

You have the right to withdraw your general consent for data processing at any time. However, withdrawing consent for the collection and use of foundational PHI will legally and practically prohibit us from providing you with further rehabilitative care. A physiotherapist cannot safely, ethically, or lawfully treat a patient without maintaining an accurate, contemporaneous medical record.

7. Authorized Disclosures of Information

While your clinical data is protected by strict healthcare confidentiality laws, solicitor-client privilege equivalents, and the inherent fiduciary duty of our practitioners, we may legally and ethically disclose your information under the following precise circumstances:

1. Active Healthcare Providers

As discussed, within the implied circle of care, to physicians, specialists, imaging clinics, hospitals, and concurrent therapists to facilitate ongoing treatment.

2. Insurance, Funding Bodies, and Legal Counsel

  • To WSIB, auto insurers, or extended health benefit providers for the strict purpose of adjudicating claims, approving treatment blocks, and processing financial billing.

  • To your retained legal counsel (e.g., personal injury lawyers), but only upon receipt of a formally executed, signed Direction and Authorization form from your legal representative.

3. Service Providers, Cloud Infrastructure, and Cross-Border Transfers

We utilize trusted third-party enterprise providers who perform services on our behalf. This includes our cloud-based Electronic Medical Record (EMR) software provider, digital exercise prescription platforms (e.g., Physitrack), unified communication systems, and accounting firms.

  • Information Sharing Agreements (ISAs): These entities do not "use" your data for their own independent purposes; they act solely as technological sub-agents. They are bound by rigorous, legally enforceable ISAs, Business Associate Agreements, and confidentiality contracts.

  • Data Localization: We make every commercially reasonable effort to utilize service providers whose primary servers are physically located within Canada. However, in limited circumstances, encrypted data may be routed through or stored on servers located in the United States or other jurisdictions. In such cases, the data is subject to the laws of that foreign jurisdiction, including potential access by foreign national security authorities.

4. Mandatory Legal and Regulatory Reporting

We are legally compelled to disclose information without your consent in specific, highly regulated scenarios, including:

  • Responding to a valid court order, search warrant, or subpoena.

  • Reporting suspected abuse, neglect, or harm of a child (under age 16) to a Children's Aid Society, as mandated by the Child, Youth and Family Services Act.

  • Reporting to the Ministry of Transportation if a patient is deemed clinically, neurologically, or physically unfit to operate a motor vehicle safely.

  • Reporting to the Workplace Safety and Insurance Board (WSIB) when a patient presents with an occupational injury.

  • Cooperating with the College of Physiotherapists of Ontario during a professional audit, peer assessment, or disciplinary investigation to ensure public safety.

  • Preventing a clear, significant, and imminent risk of serious bodily harm or death to yourself or the public.

8. Enhanced Data Security: The Defense-in-Depth Architecture

The protection of your data is not just an administrative priority; it is the foundational pillar of our clinic's integrity. As the Health Information Custodian, Rehab Mechanics employs a comprehensive, military-grade "defense-in-depth" strategy, layering physical, technological, and administrative safeguards to protect against cyber threats, ransomware, unauthorized access, and human error.

A. Technological Safeguards (Cybersecurity and Digital Hygiene)

  • Cryptographic Standards: All digital patient files, EMR charting systems, and communication portals are hosted on secure, PIPEDA/PHIPA-compliant cloud servers utilizing robust AES-256 bit encryption both in transit (TLS 1.3) and at rest.

  • Role-Based Access Control (RBAC) & Principle of Least Privilege: Access to patient files is strictly compartmentalized based on job function. A massage therapist can only view the files of patients they are directly treating; an administrative assistant can view billing and scheduling data but is technologically restricted from unlocking or viewing detailed subjective clinical charting.

  • Zero Trust Authentication and Audit Logging: We utilize mandatory Multi-Factor Authentication (MFA) via authenticator apps for all staff accessing the EMR system. Furthermore, the system maintains an immutable, non-deletable "audit log." This log records exactly who accessed which patient file, from what IP address, and at what precise millisecond, ensuring total internal accountability and discouraging internal "snooping."

  • Endpoint Detection and Threat Modeling: Clinic devices are protected by enterprise-grade, centrally managed Endpoint Detection and Response (EDR) software designed to detect and quarantine malware, ransomware, and unauthorized exfiltration attempts in real-time.

  • Bring Your Own Device (BYOD) Policy: Staff accessing clinic data from personal devices must comply with our strict Mobile Device Management (MDM) policy, which enforces screen locks, biometric authentication, and the ability for the clinic to remotely wipe the device if it is lost or stolen.

B. Physical Safeguards (The Clinic Environment)

  • Premises Security: Our physical clinic is secured by monitored alarm systems, motion detectors, and commercial-grade deadbolt locks outside of operational hours.

  • Acoustic and Visual Privacy: Treatment rooms are architecturally designed with sound-dampening materials to minimize sound transmission and prevent eavesdropping during sensitive clinical discussions. Reception computer monitors are strategically angled away from the public and equipped with polarized privacy screens to prevent "shoulder surfing" by other patients in the waiting area.

  • Clean Desk and Hardware Policy: All staff are mandated to clear desks of any physical documents containing PHI when stepping away from their workstation. Any physical patient files, intake forms, or faxes are locked in secure, fire-resistant filing cabinets immediately after use.

C. Administrative Safeguards (Human Resources and Training)

  • Culture of Privacy: All Agents (employees, contractors, locums, and student interns) undergo mandatory, documented privacy training upon hiring and annually thereafter. This includes scenario-based training and simulated phishing attacks to ensure staff remain hyper-vigilant against social engineering threats.

  • Contractual Liability: Every individual working within the clinic must sign a legally binding Non-Disclosure Agreement (NDA) and an Acceptable Use Policy as an absolute condition of their employment or contract.

Mandatory Breach Reporting Protocol

In the highly unlikely event that our layered security safeguards are breached and your Personal Information or PHI is lost, stolen, subjected to a ransomware encryption attack, or accessed without authorization, we have a strict statutory duty to act immediately. We will execute our Incident Response Plan:

  1. Contain and Eradicate: Immediately isolate compromised systems, sever network connections, and halt the data loss.

  2. Assess and Remediate: Utilize cybersecurity forensics to determine the scope of the breach and patch the vulnerability.

  3. Direct Notification: Notify you directly and transparently, explaining the nature of the breach, the specific data compromised, and the steps we are taking to protect you.

  4. Regulatory Reporting: Formally report the breach to the Information and Privacy Commissioner of Ontario (IPC) (for health data) or the Office of the Privacy Commissioner of Canada (OPCC) (for commercial data), as strictly mandated by law.

9. Retention and Secure Disposal of Information

We view the indefinite retention of data as a massive liability, not an asset. We do not keep Personal Information longer than is functionally or legally necessary.

  • Professional Medical Standards (PHIPA): Under Ontario law and the strict regulations of the College of Physiotherapists of Ontario, we are legally required to safely retain all clinical patient records (PHI) for a minimum window of 10 years from the date of the last clinical interaction.

  • The Rule for Minors: If the patient was a minor (under the age of 18) at the time of their last visit, records must be kept for 10 years after the day they turn 18 (effectively, until their 28th birthday).

  • Financial and Corporate Records: General financial ledgers, billing codes, and tax-related information are retained for 7 years to comply with Canada Revenue Agency (CRA) statutory mandates.

  • The Mechanics of Secure Destruction: Once the statutory retention period officially expires, the data is flagged for permanent destruction. Digital data is permanently destroyed using secure, cryptographic wiping protocols (meeting or exceeding DoD 5220.22-M standards) that render data recovery forensically impossible. Physical paper records (such as old archived charts or printed faxes) are destroyed via professional, bonded cross-cut shredding and pulping services. These services provide us with a legally certified "Certificate of Destruction," which we retain for our compliance audits.

10. Cookies, Analytics, Google AdSense, and Third-Party Tracking

To subsidize the robust, free educational content provided on our digital blog, Rehab Mechanics partners with third-party programmatic advertising networks, predominantly Google AdSense. This necessitates the use of cookies on the public, non-medical portions of our website.

Understanding Cookies and Local Storage

A cookie is a small text file placed on your computer, smartphone, or browser by a web server. Cookies cannot be used to run malicious programs or deliver viruses to your computer. They are simply identifiers.

  • Essential and Session Cookies: These are strictly necessary for our website to function (e.g., remembering your cookie consent preferences or keeping your session active while you read an article). They expire when you close your browser.

  • Performance and Analytics Cookies: We use tools like Google Analytics to aggregate anonymized visitor traffic data. This helps us understand which blog articles (e.g., "Top 5 Exercises for Sciatica") are most helpful to our community, allowing us to tailor future content.

Google AdSense, Real-Time Bidding, and the DART Cookie

As a third-party vendor, Google uses cookies, specifically the DART cookie, to serve targeted advertisements to our users.

  • How it Works: When you visit our blog, Google’s algorithms analyze your behavioral profile based on your previous visits to www.rehabmechanics.com and millions of other sites across the broader internet. In fractions of a second, an automated "real-time bidding" auction occurs to serve you an ad that Google deems relevant to your interests.

  • Our Lack of Control: We do not control the specific ads you see, nor do we have access to the massive behavioral profile Google holds on you. We merely provide the digital "billboard space" on our blog.

The Absolute Separation from Health Data

We enforce a zero-tolerance policy regarding the crossover of advertising tracking and health data. Advertising tracking scripts, Google Analytics pixels, Meta Pixels, and AdSense code are aggressively disabled and technologically blocked on any web page, portal, or sub-domain that facilitates patient intake, appointment booking, telehealth video feeds, or the processing of PHI. Your medical interactions with our clinic will never be used to serve you targeted ads.

Opting Out and Reclaiming Control

You maintain total control over your digital footprint on our public site:

  • Google Specific Opt-Out: Users may explicitly opt out of Google's personalized advertising by visiting Google Ads Settings.

  • Broad Industry Opt-Out: You may opt out of a wide array of third-party vendors' use of cookies for personalized advertising by visiting the Digital Advertising Alliance at www.aboutads.info/choices/ or the Network Advertising Initiative at optout.networkadvertising.org.

  • Browser Controls: You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. Note that if you disable essential cookies, some parts of our website may become inaccessible or not function properly.

11. Anti-Spam Compliance (CASL)

Rehab Mechanics operates in rigorous, documented adherence to Canada’s Anti-Spam Legislation (CASL), one of the strictest anti-spam laws in the world.

  • Commercial vs. Transactional Messages: We strictly differentiate between transactional/administrative communications (e.g., appointment confirmations, digital invoices, password resets, and direct communications from your physiotherapist regarding your active care) and Commercial Electronic Messages (CEMs). CEMs include our monthly clinic newsletter, promotional offers, or announcements of new clinic services.

  • Express vs. Implied Consent: We only send CEMs to individuals who have provided express, opt-in consent (e.g., checking a box specifically asking for the newsletter). We may also rely on "implied consent" generated by an "existing business relationship"—specifically, if you have been a paying patient within the last 24 months, or if you made an inquiry regarding our services within the last 6 months.

  • The Right to Unsubscribe: Every single marketing email we dispatch includes a clear, accessible, and highly visible "Unsubscribe" link at the footer. Clicking this link will irrevocably remove your email address from our marketing distribution lists within a maximum of 10 business days, though our automated systems typically process this removal instantly.

12. Your Privacy Rights: Access, Correction, and Portability

Under the synergistic legal frameworks of PIPEDA and PHIPA, you hold significant, legally enforceable, and paramount rights regarding the data we possess about you:

Right of Access (The 30-Day Statutory Rule)

You may formally request a complete copy of your medical charts, a summary of your treatment history, or a detailed description of how your general Personal Information has been used and to whom it has been disclosed.

  • Process: Requests must be made in writing to our Privacy Officer.

  • Timeline: Under PHIPA and PIPEDA, we are legally mandated to process this request, execute a reasonable search of our archives, and provide the records within 30 days of receiving your official request.

  • Fees: We may apply a reasonable, nominal administrative fee for this service (to cover the cost of staff time and secure digital transfer), strictly in accordance with the fee guidelines established by the IPC.

Right to Correction

If you review your records and demonstrate that clinical, historical, or administrative details are factually inaccurate or incomplete (e.g., an incorrect date of birth, an error in a documented surgical history, or a misspelled legal name), you have the right to request a formal correction.

  • Process: We will append the correction directly to the chart. Crucially, we will also notify any third parties (like insurance adjusters or family doctors) who may have recently received the erroneous data.

  • Limitation: Please note that we cannot legally "erase" or alter professional clinical opinions, diagnoses, or observations made in good faith by the therapist at the time of the visit. However, we can and will append a statement of your disagreement to the permanent file.

Right to Portability

Should you choose to relocate, transfer your care to another clinic, or seek a second opinion, you have the right to request that a copy of your records be securely transferred directly to the new facility or practitioner to ensure seamless continuity of care.

Challenging Compliance

You have the absolute right to address a challenge concerning our compliance with any aspect of this policy, our data handling procedures, or our response to an access request directly to our designated Privacy Officer.

APPENDIX A: COMPREHENSIVE LEGAL APPENDIX: STATUTORY FRAMEWORK, JURISPRUDENTIAL STANDARDS, AND SYSTEMATIC COMPLIANCE OBLIGATIONS UNDER PIPEDA & PHIPA

PART I: REGULATORY MANDATE AND STATUTORY CONTEXT

Rehab Mechanics positions itself as an entity firmly committed to the interpretation, strict application, and rigorous enforcement of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 ("PIPEDA"), alongside Ontario's Personal Health Information Protection Act, 2004 ("PHIPA"). Where statutory duties arise, the clinic recognizes that compliance is strictly mandatory. Within the legislation, duties are denoted by the statutory auxiliary verb "shall," representing an absolute legal obligation, strict liability, and an absence of discretionary authority. All capitalized terms utilized herein are derived directly from Schedule 1 of PIPEDA or relevant jurisprudence from the Federal Court of Canada (FC), the Federal Court of Appeal (FCA), the Supreme Court of Canada (SCC), and rulings from the IPC.

PART II: THE JURISPRUDENTIAL BOUNDARIES OF "PERSONAL INFORMATION"

Under Section 2(1) of PIPEDA, "personal information" is defined broadly as "information about an identifiable individual."

  • The Principle of Broad Interpretation: Consistent with administrative law principles governing quasi-constitutional privacy rights in Canada, the definition of Personal Information must be given a broad, generous, and highly expansive interpretation (Dagg v. Canada, [1997] 2 S.C.R. 403; Canada v. RCMP, 2003 SCC 8).

  • The "Serious Possibility" Test: Information concerns an "identifiable individual" where there is a "serious possibility" that an individual could be identified through the utilization of that information, either in isolation or combined with other reasonably accessible data (Gordon v. Canada, 2008 FC 258).

  • Technological Identifiers (IP Addresses): An IP address constitutes Personal Information when it can be associated, directly or indirectly, with an identifiable individual. Where an Internet Service Provider or commercial platform retains the capacity to cross-reference IP logs with subscriber identifiers, those IP addresses are legally classified as Personal Information (OPCC Technology Analysis Branch Report).

PART III: STATUTORY ACCESS, ACCOUNTING RIGHTS, AND PENALTIES

  • Core Principles (Principle 4.9): Upon formal request, an individual shall be informed of the existence, use, and disclosure of their Personal Information and be granted direct access to it. Possession or control of the record is merely a functional factor; it is not determinative of the right of access.

  • The 30-Day Mandatory Limit (Section 8(3)): We shall respond to a formal access request with utmost due diligence, and in any event, no later than thirty (30) calendar days following receipt of the request.

  • Mandatory Preservation of Records (Section 8(8)): Where Personal Information is the subject of an active or disputed access request, or an active investigation by the Privacy Commissioner, we shall preserve and retain all responsive records, suspending normal destruction schedules, until the individual has fully exhausted all administrative and judicial avenues of recourse.

  • Statutory Penalties (PHIPA): We acknowledge that under PHIPA, it is a provincial offence to deliberately collect, use, or disclose PHI in contravention of the Act, to deliberately dispose of records to evade an access request, or to fail to report a privacy breach. Penalties for corporations (such as incorporated clinics) can reach up to $1,000,000, and up to $200,000 for individuals, alongside potential disciplinary action from the College of Physiotherapists.

PART IV: DEEP ANALYSIS OF THE STATUTORY "SHALL" OBLIGATIONS (SCHEDULE 1)

The word "shall" appears 127 times within the text of PIPEDA. Within the ten foundational principles of Schedule 1, there are 53 distinct, independent mandatory obligations imposed on organizations. Rehab Mechanics systematically enforces compliance with these obligations through internal audits, technological architecture, and strict clinical protocols. Below is a detailed application of how we fulfill the core pillars:

  1. Accountability (4 Obligations): We have explicitly designated a Privacy Compliance Officer personally accountable for organizational compliance. We ensure that all third-party service providers (like our cloud EMR) offer a comparable, legally binding level of protection via strict Information Sharing Agreements.

  2. Identifying Purposes (3 Obligations): We comprehensively document and explicitly state the clinical and commercial purposes of data collection at or before the exact time of intake (via our intake forms and this policy).

  3. Consent (4 Obligations): We obtain informed, un-coerced, and non-deceptive consent matching the exceptionally high sensitivity of medical rehabilitation data, ensuring patients understand why we need their data to treat them.

  4. Limiting Collection (5 Obligations): Data collection is narrowed strictly to what is necessary for clinical care, billing, and legal compliance. We do not over-collect data "just in case." Collection is achieved exclusively via fair, transparent, and lawful means.

  5. Limiting Use, Disclosure, & Retention (5 Obligations): Data is retained only as long as clinically or legally necessary (specifically adhering to the 10-year PHIPA rule); outdated records are cryptographically destroyed rather than indefinitely archived.

  6. Accuracy (4 Obligations): We maintain accurate, complete, and current data to prevent prejudicial medical decisions or delayed insurance adjudications. Therapists are required to chart contemporaneously to ensure accuracy.

  7. Safeguards (5 Obligations): We implement rigorous physical (locked cabinets, soundproofing), electronic (MFA, AES-256 encryption, EDR software), and organizational (NDAs, strict access hierarchies) security measures detailed in Section 8 to prevent and mitigate breaches.

  8. Openness (5 Obligations): We provide public, easily accessible, and highly transparent information regarding our personal data policies, as evidenced by the publication, depth, and continual updating of this very document.

  9. Individual Access (13 Obligations): Upon request, we rapidly confirm data possession, provide swift access, supply detailed third-party disclosure accounts, and execute requested factual corrections without unreasonable delay or obstruction.

  10. Challenging Compliance (5 Obligations): We provide open, documented recourse channels, thoroughly investigate all complaints internally, and implement immediate corrective operational measures if administrative deficiencies are identified.

Contacting Our Privacy Officer

If you have questions about the interpretation of this policy, wish to exercise your rights of access, correction, or the "Lock-Box", or have a formal complaint about how your digital or health data was handled, please direct your correspondence to our designated Privacy Officer.

We guarantee a thorough, respectful review and will respond to all inquiries well within the 30-day statutory limit.

Rehab Mechanics

Attn: Privacy Officer

Email: privacy@rehabmechanics.com

Phone: 416.533.3900

Mailing Address:

68 Abell St.

Toronto, ON, M6J 0B1

Escalation and Regulatory Recourse

If you are not satisfied with our internal review or response regarding general commercial, website, or marketing data, you possess the legal right to escalate your concern to the Office of the Privacy Commissioner of Canada (OPCC) at 30 Victoria Street, Gatineau, Quebec, K1A 1H3, or by visiting www.priv.gc.ca.

For complaints specifically regarding the handling, breach, unauthorized disclosure, or denial of access to your highly sensitive Personal Health Information (PHI), you should direct your correspondence to the provincial regulator: the Information and Privacy Commissioner of Ontario (IPC) at 2 Bloor Street East, Suite 1400, Toronto, Ontario, M4W 1A8, or by visiting www.ipc.on.ca.