DRAFT — DO NOT PUBLISH. Certification claims on this page are unverified placeholders. Niral V. Merchant must confirm in writing that BridgeMed Health has achieved the named certifications before this page is published to a production domain. — Veydros Consulting
Personal Health Information Protection Act (Ontario)
BridgeMed Health operates in compliance with the Personal Health Information Protection Act [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED] — Ontario’s primary legislation governing the collection, use, and disclosure of personal health information.
PHIPA applies to every clinical encounter that takes place under BridgeMed Health’s care — the Functional Psychiatric Assessment, RTW Function-Focused Psychotherapy sessions, and the routine secure communications that support a plan member’s return-to-work plan. This page describes how the legislation maps to our operational practice.
PHIPA is Ontario’s primary statute governing how personal health information is collected, used, retained, and disclosed by health information custodians and their agents. It came into force in 2004 and has been amended several times since, most recently to align with modern digital health practices and to strengthen breach reporting obligations to the Office of the Information and Privacy Commissioner of Ontario (IPC).
BridgeMed Health is structured to operate as a health information custodian for the clinical encounters it facilitates — including the Functional Psychiatric Assessment, RTW Function-Focused Psychotherapy, and the supporting plan member communications — and as an agent of partner custodians where applicable. Either way, the same operational principles apply: data is collected only for the purposes of providing care, stored in encrypted form, and disclosed only with consent or where required by law.
PHIPA grants plan members enforceable rights, including the right to access their own records, request correction of inaccuracies, and file a complaint with the IPC if they believe their rights have been violated. BridgeMed Health honours all of these rights and has documented procedures for handling access, correction, and complaint requests. [VERIFY WITH NIRAL — DO NOT PUBLISH UNTIL CONFIRMED]
Plan member health information is collected only for the purpose of providing care. We do not collect identifying information for marketing, advertising, or any commercial purpose unrelated to the clinical engagement.
Data is stored on encrypted, access-controlled systems within Canada. Encryption at rest uses AES-256; encryption in transit uses TLS 1.2/1.3. See Platform Security for the full controls inventory.
Plan members have the right to access their own health information. Requests are handled in accordance with PHIPA timelines and may be initiated by contacting the privacy officer directly.
Disclosures to third parties — the family physician, case manager, plan administrator, or insurer — occur only with plan member consent and within the scope of clinical necessity. We do not share records beyond what is documented at intake.
In the event of a privacy breach, BridgeMed Health reports the incident to the affected plan member, to the relevant custodian or partner organization, and to the Ontario Information and Privacy Commissioner as required by law. We maintain a documented breach response procedure that covers identification, containment, notification, and post-incident review.
The Personal Health Information Protection Act grants every plan member a defined set of rights. These are not optional features — they are statutory entitlements. BridgeMed Health honours them as written and provides clear, named contacts for exercising each one.
Privacy-related questions, access requests, correction requests, and PHIPA complaints can be directed to the BridgeMed Health privacy team using the channels below. We acknowledge receipt of all written privacy requests within five business days.
Plan members in Ontario may also contact the Information and Privacy Commissioner of Ontario directly at ipc.on.ca.
