top of page
Lockers with keys

Privacy and Security


EpiphanyClinics and all their subsidiaries, including EpiphanyClinic LA abide by:

  1. The American Health Information Portability and Accountability Act (HIPAA)

  2. The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

  3. The European Union General Data Protection Regulations (GDPR)


These set out the ground rules for how businesses must handle personal health information in the course of commercial activity.


Our adherence to these acts is our acknowledgement that EpiphanyClinics and NorthShore ADHD and Addiction Clinic has an overriding obligation to ensure that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would deem appropriate given the circumstances.

Our clinics are responsible for the protection and fair handling of personal information at all times. This applies throughout our organization and in dealings with third parties. We believe that care in the handling of personal information is essential to continued consumer confidence and good will.​


1.0 This Personal Information Privacy Policy applies to EpiphanyClinics and NorthShore ADHD and Addiction Clinic  (heretofore known as 'We'), and their subsidiaries, and to any service providers collecting, using or disclosing personal information on their behalf.Privacy

1.1  Your anonymity is preserved because your personal health information is identified only by your unique identifier, User ID#. We do not attach your name, email, IP address or other personal information as part of our mental health screening and assessment services. Your anonymous information is then encrypted, transmitted and stored in your home country by our survey tool vendor, Survey Monkey. You can read their privacy policy at

We will only use your personal information in order to verify your identity or meet regulatory requirements

​The only one who can connect your mental health information and your name is you. 

2.1 The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information. Our consent policy is intended to give you the who, what, where, when, how, risk and benefits of your participation. Our goal is to make sure that you know what you are consenting to, have had time to make an informed decision and the opportunity to ask questions.


2.2 Consent can only be provided in writing, electronically or through an authorized representative. 

2.3 There are no cases of implied consent.

2.4 You can withhold or withdraw your consent at any time.

2.5 Refusing or withdrawing consent will not affect your care in any way.

3.1  We will only use or disclose your personal information as mentioned above and only when necessary to fulfill the purposes identified at the time of collection, which would include contacting you to offer you the opportunity to connect to care.

3.2 We may be required to disclose your personal information to third parties when...  


  • The disclosure is required by law

  • In an emergency that threatens an individual's life, health, or personal security

  • In any situation where child protection would be warranted


3.3 We will not use or disclose your personal information for any additional purpose unless we obtain consent to do so. 

3.4 We will ask you for permission to use, store or disclose information in order to do research, improve the treatments we provide or improve the healthcare system. 


3.5 We will not sell your de-identified information without your specific consent and a specific reasonable, mutually agreed upon, financial compensation.​

Retaining Personal Information
4.1  If we use personal information to make a decision that directly affects you, we will retain that information for at least one year, so that you have a reasonable opportunity to request access to it. 

4.2  Subject to policy 4.1, we will retain client, customer, patient personal information only as long as necessary to fulfill the identified purposes above.

5.1  Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used. We will make reasonable efforts to ensure your personal information is accurate and complete, where it may be used to make a decision about you or disclosed to another organization. 

5.2  Patients may request correction to their personal information in order to ensure its accuracy and completeness.  A request to correct personal information must be made in writing and in sufficient detail to identify the correction being sought. 

5.3  If the personal information is demonstrated to be inaccurate or incomplete, we will correct the information as required and send the corrected information to any organization to which we disclosed the personal information. If the correction is not made, we will note the patients’ correction request in the file. 


6.1  We are committed to ensuring the security of client, customer and patient personal information in order to protect it from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks. 

6.2  The following security measures will be followed to ensure that patient personal information is appropriately protected, including: 


  • physically securing offices where personal information is held

  • the use of user IDs, passwords, encryption, firewalls; restricting employee access to personal information as appropriate (i.e., only those that need to know will have access);

  • contractually requiring any service providers or third parties who requires access, to provide confidentiality agreements or comparable security measures.

6.3  We will use appropriate security measures when destroying patient’s personal information such as shredding documents and permanently deleting electronically stored information. 

6.4  We will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security. 

7.1  Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Patients have a right to access their personal information, subject to limited exceptions, such as, solicitor-client privilege, disclosure would reveal personal information about another individual, health and safety concerns.

7.2  A request to access personal information must be made in writing and provide sufficient detail to identify the personal information being sought. 

7.3  Upon request, we will also tell patients how we use their personal information and to whom it has been disclosed if applicable. 

7.4  We will make the requested information available within 30 business days, or provide written notice of an extension where additional time is required to fulfill the request. 

7.5  A fee may be charged for providing access to personal information. Where a fee may apply, we will inform the patient of the cost and request further direction from the patient on whether or not we should proceed with the request. 

7.6  If a request is refused in full or in part, we will notify the patient in writing, providing the reasons for refusal and the recourse available to the client, customer, member.


8.0 EpiphanyClinics is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.


8.1 We will make detailed information about its policies and practices relating to the management of personal information publicly and readily available.

Identifying Purposes

9.0 The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.

Limited Collection

10.0 The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.​

10.1 Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.​


10.2 Personal information must be protected by appropriate security relative to the sensitivity of the information.


Challenging Compliance

11.0 An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.

Questions and Complaints
12.0  The Privacy Officer or designated individual is responsible for ensuring our compliance with this policy and the Personal Information Protection Act. 

12.1  Clients, customers, patients should direct any complaints, concerns or questions regarding Epiphany360's compliance in writing to the Privacy Officer. If the Privacy Officer is unable to resolve the concern, the client, customer, patient may also write to the Information and Privacy Commissioner of British Columbia. 

EpiphanyClinics Clinic Privacy Officer
Ms. Astrid Sherman
778-945-2778 (fax)

bottom of page