ChiroUp takes all subscribers' data privacy and security seriously. This includes compliance with the Ontario Personal Health Information Act (PHIPA), which governs the manner in which personal health information may be collected, used, and disclosed within the health sector. Given the stringent control of data that ChiroUp utilizes, PHIPA compliance is no problem.

In order to comply with PHIPA, the Office of the Information Commissioner of Canada recommends that organizations adopt an array of measures to safeguard Protected Health Information (PHI). Below are the measures ChiroUp has implemented in order to satisfy compliance.

1. Security Controls: PHIPA requires organizations to apply administrative, physical, and technical controls to ensure the security of PHI in their custody or control. Our security controls include:
   1. Security Risk Assessments: ChiroUp conducts a yearly Security Risk Assessment in order to identify risks and implement mitigation strategies.
   2. HR Security: this includes background checks on any prospective employees, privacy and security onboarding training, required Confidentiality & Non-Disclosure Agreements, and Subcontractor due diligence.
   3. Administrative Security: Written Information Security Program, Policies and Procedures management and training, Monthly Security Awareness Training Campaign and simulated phishing tests, Asset management, and Password Management.
   4. Physical Security: ChiroUp does not store patient data on-site, so our physical controls are more to prevent access to work devices. These controls include restricting access to secure areas using locks and pin codes. ChiroUp stores its subscribers' PHI in AWS data centers within Canada, in order to comply with PHIPA.
   5. Technical Security: this includes AES-256 encryption for data at-rest (this is the strongest and most robust encryption standard that is commercially available today), TLS1.3 encryption for Data in-transit, user identification and authentication, Multi-Factor Authentication, user authorization and access controls based on a need-to-know basis, Crowdstrike End Point Detection and Response sensor on all work devices, VPN on all devices, configuration management, vulnerability and security patching, logging and monitoring, network management, and regular data backups and data loss prevention strategy.
2. Access & Correction Rights: PHIPA provides individuals with the right to access, correct, and in some cases, ask for the amendment of their data. ChiroUp provides its subscribers the ability to access and modify their personal information or patient data within the app. In addition, ChiroUp makes it easy for its subscribers' patients to access or modify their information. Subscribers can contact support@chiroup.com if they need assistance.
3. Data Breach Management: ChiroUp's Incident Response Plan is designed to respond to events potentially impacting the confidentiality, integrity, and/or availability of its Services or Subscriber information. ChiroUp will take appropriate steps and measures to mitigate and remediate any known threat, and in the event ChiroUp discovers a security event that impacts PHI, ChiroUp will notify its subscribers without undue delay (no later than 60 days). ChiroUp will also notify any appropriate government agency, including the Information and Privacy Commissioner of Ontario. 
4. Openness: ChiroUp is transparent about the way it handles subscriber data. Information regarding ChiroUp policies and procedures relating to the management of personal information can be directed to the Assigned Privacy & Security Official.
5. Collection, Use, Disclosure, and Disposal of PHI: ChiroUp receives your consent to store your patients' PHI when you become a subscriber. ChiroUp will never sell or trade your patients' data. ChiroUp employees are restricted from accessing its subscribers' PHI, unless it is absolutely required to conduct business. ChiroUp may only use or disclose PHI as necessary to perform the services set forth in the Service Agreement between ChiroUp and the Subscriber or when required by law.
6. Assigned Security Official: ChiroUp has established an Assigned Privacy & Security Official to oversee compliance with applicable laws and regulations. Any and all complaints or requests can be reported to the assigned official, and they will respond in a reasonable time and investigate and address all complaints reported. The Assigned Privacy & Security Official can be reached at emily@chiroup.com.