Who are we?
instream is a corporation incorporated under the Canada Business Corporations Act.
What do we do?
instream operates Internet-based electronic transaction and messaging systems for health messages and transactions, as well as a bulk-payment transaction system with mediation, in a manner that provides state-of-the-art security and privacy features. instream uses digital trust certificate authentication, as well as username and password authentication, to provide security and privacy in the electronic transmission of health messages, transactions, and bulk-payments. Further information about instream and its products and services are outlined on the instream website at instreamcanada.com.
Who is Covered by our Privacy Statement?
In this document, “you” and “your” refers to the individual or corporation who is the sender or intended recipient of a health care message and/or a bulk-payment, the individual patient or client, professional regulatory and licensing authorities, professional associations, service providers, such as practice management software vendors, and organizations that facilitate the adjudication and payment of health benefit claims, including, financial institutions.
The terms “we”, “us” and “our” refer to instream and its products and services.
Our Commitment to Protecting Your Privacy
Collecting personal information about you is essential to our ability to offer you a secure, efficient, high quality internet-based electronic transaction and messaging system for health messages.
Your privacy is important to us. We will respect your privacy through the protection of your personal information. We take great care to keep both confidential and secure all personal information we collect and manage, using state-of-the-art PKI security and privacy systems. instream’s computer servers are hosted in state-of-the-art secure facilities. instream has developed both a Privacy Policy and a Privacy Code to ensure the highest standard of protection for personal information, including collection, storage, use and disclosure. These documents reflect and are consistent with the Personal Information Protection and Electronics Act, S.C. 2000, c.5 (PIPEDA).
What is “Personal Information”?
“Personal Information” is information about an identifiable individual or corporation. In the health care context, personal information means information about an identifiable individual which includes any factual or subjective information, recorded or not, about that individual, including health-related information. It may include the name, address, telephone number and other contact information, usage requirements, aggregated usage patterns and verification information. It does not include the name, title, business address or telephone number of an employee of an organization.
What information are we Responsible for Protecting?
instream is responsible for protecting your personal information in our possession or custody, including personal information that has been transferred to, or received from, a third party for processing or for other purposes for which you have consented.
How we Protect Your Personal Information?
We maintain strict security systems to safeguard your personal information from unauthorized access, disclosure or misuse.
User authentication and security of health messages and transactions is enabled through instream’s digital trust certificate services, and/or username and password.
Digital trust certificates and/or username and password will be used to authenticate users and secure transmissions through instream electronic services. Personal information can be viewed and processed only by authorized users. Each data entry is safe, secure and confidential. Further information on the protective features of these services may be found at instreamcanada.com.
All employees, agents and authorized service providers of instream are required to protect the confidentiality of your personal information. Access to your personal information is restricted to those employees, agents and authorized service providers who need it to do their jobs.
Questions and Comments
If you have any questions about the instream Privacy Policy and Privacy Code, please contact our Privacy Officer at:
privacyofficer@instreamcanada.com, Telephone 855-521-1121
instream Privacy Policy
Purpose and Consent
Before collecting personal information from you we will explain to you the purpose of collecting it. Moreover, we will only collect, retain, use and disclose your personal information with your permission, except where otherwise permitted or required by law, and will do so only to the extent that this is necessary to carry out the functions of instream services. Personal information not needed for the carrying out of these functions will not be collected.
Consent may be either implied or explicit. Health care providers should contact their professional organization and/or your licensing and regulatory authorities regarding requirements for patient consent.
The instream services enrollment process for health care providers will include a personal information consent form. A digital trust certificate and/or a username and password will be issued to ensure a high level of security.
You may withdraw your consent to collect, use and disclose your personal information at any time, subject to legal and contractual restrictions and reasonable notice. Please note, however, that withdrawing your consent will affect our ability to provide you with the benefits of instream services.
Limiting Collection of Personal Information
Our collection of personal information is limited to what is necessary and reasonable to provide an effective internet-based mode of delivery of health messages and transactions. The information will be used only for the purposes for which it is collected.
Limitation on how Long we Keep Information
Data is retained only for the period of time necessary for performing the services offered to you by instream, including updating the product or services as required by law, and for a reasonable length of time thereafter, in case we need to meet any potential obligations or legal or governmental requirements. When we destroy personal information, we will use safeguards to prevent unauthorized parties from gaining access to the information during the process.
Use of Personal Information
We will collect your personal information in order to expedite the processing of health messages and transactions through our superior internet-based transaction and messaging system.
In order to ensure prompt and accurate transmission of information between patients, health care providers and health benefit adjudicators/payors, instream will check claim messages received from participating health practitioner offices for completeness of data and appropriate formatting. This may involve opening the message file for the purposes of editing, data “scrubbing” or reconfiguration.
Disclosure of Personal Information
Information will be shared among users and with third parties associated with instream only on an “as needed” basis. Any information shared with service providers will be done so on the condition that they will use and retain such information only for the specific purpose for which they are engaged by instream. Service Providers are required to protect the confidentiality of your personal information in a manner consistent with our own internal measures, or as required by law.
For example, banking information of patients and health care providers may need to be shared in order to enable payment of benefits by way of electronic funds transfer. Information about prospective health care providers may need to be shared with professional and regulatory organizations in order to validate credentials.
We will not sell your personal information. We will not disclose it to third parties without your knowledge or permission, except in special circumstances, such as during a fraud investigation or in situations otherwise permitted by law. With the consent of the patient, the health care provider and the benefit provider, depersonalized “data extracts” of claim information may be produced for the health care provider’s professional association for research purposes. Neither the individual patient, health care provider nor the benefit provider will be able to be identified from a data extract. Accuracy of Personal Information
We will strive to ensure that the personal information we have on file for you is accurate and up-to-date as is necessary for the purposes for which it is to be used. If any information needs to be updated or amended, we will make every effort to change our records, and will endeavour to advise other parties having access to the information in question.
Access to Your Personal Information
You have the right to ask whether we hold any personal information about you and to see that information, as provided by law. If you believe any of the information we have collected about you is incorrect or incomplete, you have the right to ask us to change it. Where we have obtained medical information about you from a third party, we will release this information only through your health care provider.
Please make your request to instream’s Privacy Officer, stating as specifically as possible which personal information you are requesting. We will try to respond to your request as soon as possible and will advise you if for some reason we cannot respond right away. Under certain circumstances, we have the right to refuse your request for access to personal information.
How to Register Complaints
You may register a privacy-related complaint by contacting instream’s Privacy Officer. We will explain our complaints process to you and will investigate all complaints. If a complaint is justified, we will take all necessary steps to set the situation right, including changing our policies and practices if necessary. We will also let you know what other complaint procedures may be available to you.
instream Privacy Code
Principle 1 – Accountability
Each employee or agent of instream is responsible for maintaining and protecting all personal information under their control. instream has designated an individual to oversee our compliance with the PIPEDA and our Privacy Policy.
Principle 2 – Identifying Purposes
We will identify the purposes for which personal information is collected, either before or at the time of collection.
Principle 3 – Consent
We will only collect, use and disclose your personal information with your knowledge and consent, except where otherwise permitted or required by law.
Principle 4 – Limiting Collection
Our collection of personal information is limited to what is reasonable and necessary for the purposes identified. Personal information shall be collected by fair and lawful means.
Principle 5 – Limiting Use, Disclosure and Retention
Your personal information will only be used, disclosed or retained for the purposes for which it was collected, unless you have otherwise consented, or when it is required or permitted by law. We will only retain your personal information for the period of time required to fulfill the purposes for which it was collected.
Principle 6 – Accuracy
We will keep personal information we collect as accurate, complete and up-to-date as necessary to fulfill the purposes for which it was collected.
Principle 7 – Safeguards
We will protect the personal information we collect with security safeguards appropriate to the sensitivity of the information.
Principle 8 – Openness
Information about our policies and practices relating to the management of personal information will be made readily available to you.
Principle 9 – Access
You may request access to your personal information at any time to review its content and accuracy. Upon request, you will be informed of the use and disclosure of your personal information. You are entitled to challenge the accuracy and completeness of the information and to have it amended as necessary.
Principle 10 – Complaints and Suggestions
You may contact us with any questions, complaints or suggestions with respect to our Privacy Policy and Privacy Code