top of page

Privacy Policy

At Centre for Neuropsychology and Emotional Wellness, we are committed to protecting your privacy and the confidentiality of your personal and health information. This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and your rights under Ontario law, including the Personal Health Information Protection Act (PHIPA).

Scope This policy applies to personal and health information collected by CNEW in the course of providing psychological services in Ontario, whether collected in person, by phone, by email, through our website, or via telehealth/virtual care platforms.
 

What information we collect
 

  • Personal information: name, date of birth, contact details (address, phone, email), emergency contact, insurance or third-party billing information.
     

  • Health information (personal health information / PHI): medical and mental health history, assessment notes, treatment plans, progress notes, risk assessments, and other clinical records.
     

  • Administrative information: appointment dates/times, payments and billing records, consent forms, correspondence.
     

  • Technical and website information: IP address, device and browser information, cookies and analytics data when you visit our website or use online booking forms.
     

  • Communications metadata: records of emails, text messages, and phone calls (content may be kept if relevant to care).
     

How we collect information
 

  • Directly from you: during intake, appointments, intake forms, consent forms, email and phone communications, and client questionnaires.

  • From others with your consent: e.g., family members, other health care providers, schools, or insurers.

  • Automatically: via our website (cookies, analytics) and appointment booking systems.
     

How we use your information We use personal and health information to:
 

  • Provide psychological assessment, treatment, counselling and care.

  • Communicate with you about appointments, treatment, referrals, and billing.

  • Manage administrative and billing needs (including claims to insurance or third-party payors).

  • Comply with legal or regulatory obligations.

  • Improve our services and run our practice (quality assurance, practice management).

  • Respond to complaints, legal matters, or public safety concerns when required by law.
     

Legal basis and consent Under PHIPA, we collect, use and disclose personal health information for the purposes of providing care. We will obtain your informed consent for collection, use, and disclosure of your health information except in limited circumstances where PHIPA permits collection, use or disclosure without consent (for example, in emergencies or as required by law). You may withdraw consent at any time in writing; withdrawal may limit our ability to provide certain services.

 

 

Disclosure to others
 

We will not disclose your personal health information except as authorized by you or as permitted or required by law. Examples of disclosures that may occur include:
 

  • With other health care providers involved in your care (e.g., physicians, psychiatrists, family practitioners, allied health professionals) — usually with your consent — to coordinate treatment.

  • To third-party payors or insurers when you request billing or reimbursement, and only the minimum information required for claims.

  • To family members or caregivers when you have consented or where permitted by law (e.g., for safety or substitute decision-making).

  • To our service providers who support our operations (e.g., secure cloud storage, electronic health record/booking platforms, billing processors, IT support). These vendors are contractually required to protect your information.

  • When required by law or legal process (e.g., court orders, subpoenas), or to report abuse, threats to safety, or other situations where disclosure is required by statute.

  • In the event of a transfer or sale of the practice, where client records may be shared as part of the transaction; you will be notified and given options in accordance with the law.
     

Retention and disposal of records We retain personal health information in accordance with PHIPA, the standards of our regulatory colleges, and best practices. As a general rule:
 

  • Clinical records are retained for a minimum of 10 years from the date of the last entry for adults.

  • For records of clients who were minors at the time of service, files are retained for a period that complies with PHIPA and college guidance (generally at least 10 years after the patient reaches the age of majority).

  • After the retention period, records are securely destroyed or de-identified such that the information cannot reasonably be reconstructed.
     

Security safeguards We use administrative, technical and physical safeguards designed to protect personal health information against unauthorized access, use, disclosure, modification or destruction. These measures include:
 

  • Limited access to records on a need-to-know basis for clinical or administrative purposes.

  • Password protection, role-based access controls and multi-factor authentication for electronic systems.

  • Encryption of electronic records and secure transmission methods for email and telehealth sessions

  • Secure physical storage for paper records, locked filing systems and restricted access to clinic premises.

  • Regular staff training on privacy, confidentiality, and PHIPA obligations.
     

Breach notification If we become aware of a breach of security that poses a real risk of significant harm to you, we will:
 

  • Take immediate steps to contain and investigate the breach.

  • Notify affected individuals as soon as feasible with details about the breach, the information involved, and steps you can take to protect yourself.

  • Notify any required regulatory bodies, including the Information and Privacy Commissioner of Ontario, when mandated by law.

  • Implement remedial measures to reduce the likelihood of a similar incident.
     

Access, correction and portability of your information You have the right to:
 

  • Request access to the personal health information we hold about you. We will respond in accordance with PHIPA timelines (generally within 30 business days; we may extend for a reasonable period and will notify you).

  • Request correction of inaccurate or incomplete information. If we disagree with your requested correction, we will annotate the record to reflect your statement.

  • Request a copy of your records or request that records be transferred to another provider where technically feasible. Requests should be made in writing to our Privacy Officer (contact details below). We may charge a reasonable fee for copying or transferring records.
     

Withdrawing consent You may withdraw consent to the collection, use, or disclosure of your personal health information at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may limit our ability to provide care or fulfill administrative requirements. To withdraw consent, contact our Privacy Officer in writing.
 

Using our website — cookies and analytics
 

  • Our website may use cookies and similar technologies to enable functionality (e.g., secure online booking) and to collect non-identifying analytics (e.g., page views, device/browser type). Cookies do not collect clinical information.

  • You may be able to disable certain cookies via your browser settings; however, disabling cookies may affect website functionality.

  • We do not knowingly collect personal health information through website analytics. Any forms that collect personal or health information are transmitted securely.
     

Telehealth / virtual care
 

  • Telehealth sessions use secure, encrypted platforms. We will inform you of the platform we use and obtain your consent to receive care virtually.

  • Telehealth may have limitations (technical interruptions, privacy risks if others are present). You should ensure you are in a private space and use a secure network when attending virtual sessions.

  • Documentation of telehealth sessions is treated the same as in-person clinical records.
     

Minors and substitute decision-makers
 

  • For clients who are minors, we follow PHIPA and applicable regulatory college standards. Parents or guardians generally have the right to access a minor’s personal health information and to provide consent for treatment unless the minor is considered capable under applicable guidance. Determinations about a minor’s capacity to consent will be made on a case-by-case basis and documented in the record.

  • We will ordinarily discuss confidentiality limits with adolescent clients and their parents/guardians at intake. In certain circumstances (e.g., risk of harm to self or others, abuse, or where disclosure is otherwise required by law) we may disclose information to parents/guardians or to authorities without the minor’s consent.
     

Research, teaching and quality assurance
 

  • De-identified or anonymized information may be used for research, teaching, or quality-improvement projects if approved through appropriate ethical review and/or with your consent. Identifiable information will only be used or disclosed for research with your informed consent except where permitted by law.
     

Electronic communications and risks
 

  • We may communicate with you by email, text message or other electronic means for appointment reminders, billing, or other administrative purposes if you consent to receive electronic communications.

  • Electronic communications are not completely secure; if you prefer, request alternate methods of communication. Please notify us if you change your contact details.
     

Third-party websites and links
 

  • Our website may contain links to third-party sites (e.g., professional resources). We are not responsible for the privacy practices or content of those sites. Review the privacy policies of any external websites you visit.
     

Service providers and contractual protections
 

  • We may use third-party service providers (e.g., secure cloud storage, electronic health record and booking platforms, billing processors, IT support). These vendors only receive the minimum information necessary to provide their services and are contractually required to protect your information in accordance with PHIPA and industry standards.
     

Fees for access, copies or transfers
 

  • We may charge a reasonable fee for copying and transferring your records to another provider, in accordance with PHIPA and applicable college guidance.
     

How to request access, correction, or withdraw consent
 

  • To request access to your records, request corrections, or withdraw consent, please make a written request to our Privacy Officer:
     

  • Dr. Olivia Chu Yau
     

  • Centre for Neuropsychology and Emotional Wellness
     

  • 3 Centre Street Suite 201 Markham, ON L3P 3P9
     

  • Email: privacy@cnew.ca Please direct requests for access, correction, disclosure questions, withdrawal of consent, concerns about privacy practices, or reports of suspected privacy breaches to the Privacy Officer in writing where possible.

bottom of page