Privacy by Design

Biscuit Health is committed to protecting and preserving your privacy. Our business and team are built around the Privacy by Design principles to ensure our platform is a safe space for our communities.

The Biscuit Health Platform enables our communities to access specialized allergy care tools to manage their care through our mobile App or Website, and for our clinicians and partners to oversee the care of patients through our EMR and other digital systems.

As a health clinic operating in British Columbia, Biscuit Health is PIPA-compliant. This article dives into what PIPA-compliance means, and how we achieve compliance with these regulations and beyond.

Privacy Laws and Health Records in BC

The PIPA BC (Personal Information Protection Act) is legislation passed in BC that is substantially similar to the federal PIPEDA law requiring health clinics handle personal information with care.

What is considered personal information?

Personal information is any recorded information or data that can identify a patient (name, address, phone number, ID number) and any information that is about an identifiable patient (physical description, education, blood type). PIPA allows us to collect this information, use it, and disclose it under "reasonable purposes".

How do we comply with PIPA at Biscuit Health?

Privacy By Design — We've gone above and beyond PIPA requirements by adopting a Privacy By Design culture at Biscuit Health. At a minimum PIPA requires organizations such as Biscuit to be in control of personal information collected, even if it's not in our custody. We do this by enforcing Business Associate Agreements (BAAs) with any partner that may receive personal information from us as part of our care delivery.
Designated Privacy/Compliance Officer — We are required to publicly disclose the person in charge of privacy and compliance at Biscuit Health.
Consent — We obtain informed consent as part of our intake and inform patients about how their personal information is collected, used, or disclosed. As part of Privacy By Design principals, we collect only the minimum required information to provide patients with care.
Disclosure — Beyond purposes required to provide care to patients, Biscuit does not disclose personal information except as required by a treaty, subpoena, court order in an investigation of an offence, in response to an emergency where the health or life of an individual is at immediate risk, or when required to contact next of kin for a deceased or ill individual.

Right to Access under PIPA

Patients have the right to access their own personal information and we make an effort to respond to requests within 30 business days. We may refuse requests if the information could threaten the safety of another individual, would reveal personal information about another individual, or in other limited circumstances specified by PIPA.

Please note that certain record requests may incur a $25.00 administrative fee.

Rights to correct information

Patients can make a request at any time to correct their personal information by submitting a request in our privacy portal.

Protecting personal information

Our technology and organization is built to be SOC2-compliant and HIPAA-compliant. Data is encrypted from end to end and at rest. All Biscuit Health employees and contractors undergo privacy training and are required to complete refresher training annually. All patient records and personal information is backed up to a separate location to prevent accidental destruction, and all access attempts are logged and time stamped.