Privacy Policy

Effective: May 1, 2026 · Last updated: May 1, 2026

Filipino Homecare Ltd. ("Filipino Homecare", "we", "us", or "our") is a home care agency providing in-home support to clients across Ontario. We are a "Health Information Custodian" under Ontario's Personal Health Information Protection Act, 2004 ("PHIPA"), and we are committed to handling your information lawfully, securely, and respectfully.

This Privacy Policy explains what information we collect, why we collect it, how we use and share it, how long we keep it, how we protect it, and your rights with respect to your information. If anything is unclear, please contact our Privacy Contact (below).

1. Privacy Contact & Custodian
2. What information we collect
3. Why we collect it (purposes)
4. Consent
5. Who we share it with
6. How we protect it
7. How long we keep it (retention & disposal)
8. Breach response
9. Your rights — access, correction, withdrawal
10. Our staff and contractors
11. Website & cookies
12. Complaints to the Ontario IPC
13. Changes to this Policy

1. Privacy Contact & Custodian

Filipino Homecare Ltd. is the Health Information Custodian for the personal health information described in this Policy. We have designated the following Privacy Contact to receive privacy questions, access requests, correction requests, and complaints:

Designated Privacy Contact

William Lishinski

Business Administrator · Business Development Manager · Human Resources

Filipino Homecare Ltd.
31 Rosebury Wy., Mount Hope, ON L0R 1W0, Canada

Phone: (905) 929-7322
Email: info@filipinohomecare.ca

2. What information we collect

We collect personal health information ("PHI") and other personal information about clients (and, where relevant, their substitute decision makers and family caregivers) for the purpose of providing home care services. Depending on the circumstances, this may include:

Identifying information

Name, date of birth, home address, telephone, email, emergency contacts
Ontario Health Card (OHIP) number, where relevant
Substitute Decision Maker / Power of Attorney information

Health information

Medical history, current diagnoses, allergies, mobility status, cognitive status (including dementia diagnosis)
Medication lists and reminders schedule (we do not administer medications; we provide reminders only unless a Registered Nurse is engaged)
Care plan, daily care logs, vitals (where taken), sleep and meal patterns
Information from your physician, hospital, Ontario Health atHome (formerly LHIN/HCCSS), or other providers, when shared with us for care purposes

Service information

Schedule of visits, hours of care, services requested
Payment method, billing address, invoices
Family-Managed Home Care (FMHC) funding arrangements, when applicable
Photographs of incidents (e.g. wound care progress) only with express consent

Operational information

Caregiver clock-in / clock-out timestamps with optional GPS at the start of a visit (used to confirm arrival; not continuously tracked)
Daily log notes recorded by the caregiver during the visit

3. Why we collect it (purposes)

We collect, use, and disclose personal health information for the following purposes:

To assess your care needs and develop a care plan with you and your family
To provide and coordinate the agreed-upon home care services
To assign appropriate caregivers and schedule visits
To document care provided (daily logs) and meet professional standards
To communicate with your healthcare team, family caregivers, and Ontario Health atHome where appropriate
To bill for services and process payments
To respond to emergencies, accidents, or incidents
To comply with our legal, regulatory, and professional obligations
To improve the quality of our services through internal review (using de-identified data wherever possible)

We will not use your information for marketing, fundraising, research, or sale to third parties without your express consent.

Express and implied consent

Under PHIPA, we generally rely on your implied consent to share PHI within your "circle of care" — the regulated health professionals, your family caregiver, and other care providers who are providing care to you. We rely on your express consent for purposes outside the circle of care (for example, sharing with an insurer for billing). At intake we will explain what consent we are relying on and obtain your signed consent on the Care Plan and Service Contract.

Withdrawing consent ("lockbox")

You can withdraw consent at any time, in whole or in part, by writing to our Privacy Contact. You can ask us to "lock" specific information so that it is not shared with a particular caregiver or third party (sometimes called a "lockbox"). We will respect your wishes to the extent permitted by law and care safety. We will tell you if a withdrawal would prevent us from providing services safely.

Substitute Decision Makers

If you are not capable of making decisions about your personal health information, your Substitute Decision Maker (typically a Power of Attorney for Personal Care, or, in their absence, the priority list under the Health Care Consent Act, 1996) may give consent on your behalf.

We share personal health information only as needed to provide your care and as permitted by law. Recipients may include:

Our caregivers and office staff who are assigned to your care or who support our administration. Each is bound by a written Staff Confidentiality Agreement and PHIPA training, and access is limited to clients they are assigned to.
Your family caregiver, Substitute Decision Maker, or designated emergency contact, where you have consented or where reasonably necessary in an emergency.
Other regulated health professionals involved in your care (your physician, nurse practitioner, hospital, pharmacy, occupational/physical therapist), within the circle of care.
Ontario Health atHome (formerly LHIN / HCCSS), where they are funding your care or coordinating your services, with your consent.
Service providers who help us run our business under written contracts with PHIPA-equivalent obligations, including:
- Google (Firebase Hosting + Firestore + Cloud Functions) — secure cloud infrastructure for our caregiver scheduling app, hosted in Canadian and U.S. data centres
- Dropbox — encrypted document storage for signed care plans and contracts
- Twilio — secure SMS communication with caregivers (visit notifications)
These providers act as our agents under PHIPA and may not use your information for their own purposes.
Government authorities, where required by law or court order (for example, reporting suspected elder abuse to the police, or responding to a subpoena).

We do not sell, rent, or trade personal health information.

6. How we protect it

PHIPA requires us to take reasonable steps to protect personal health information. Our safeguards include:

Written Privacy Policy (this document) and supporting policies (Records Handling Policy, Breach Response Plan)
Staff Confidentiality Agreements signed by every caregiver and office staff member before they access client information
PHIPA training for all caregivers and office staff before first access, with refreshers as policies change
Need-to-know access — caregivers can only access records of clients they are assigned to, enforced both in our app and at the database level
Access auditing — every time a caregiver or administrator opens a care plan or daily log, we record who, what, and when, in a tamper-evident audit log
Encryption — data is encrypted in transit (HTTPS / TLS 1.2+) and encrypted at rest in our cloud infrastructure (Google Firestore)
Strong authentication — caregivers sign in with a unique account and password, with mandatory password change on first login
BYOD device security policy — caregivers are required to use a screen lock, not share their device, and not photograph or screenshot client information
Locked physical files — any paper records (when used) are kept in locked storage at our office
Vendor due diligence — written contracts with our cloud providers requiring PHIPA-equivalent safeguards

7. How long we keep it (retention & disposal)

We keep personal health information only as long as we need it for the purposes described above and to meet our legal and professional obligations. Our retention periods are:

Active client records: kept while you are receiving care.
Inactive adult client records: kept for 10 years after the date of last service. This aligns with the standard retention period for adult health records in Ontario.
Records of clients who were minors at the time of service: kept until the client would have reached the age of 28, or for 10 years after the date of last service, whichever is later.
Billing and financial records: kept for 7 years from the end of the tax year (Canada Revenue Agency requirement).
Caregiver records: employment / contractor files retained for 7 years after the engagement ends.
Audit logs (who accessed what records, when): kept for 10 years to support breach investigations and access requests.

At the end of the retention period, paper records are shredded and electronic records are securely deleted. We may keep de-identified aggregate data for quality improvement.

8. Breach response

If your personal health information is lost, stolen, or used or disclosed without authorization (a "privacy breach"), we will:

Take immediate steps to contain the breach and recover the information where possible;
Investigate to determine what happened and what information was affected;
Notify you (and, where required, your Substitute Decision Maker) at the first reasonable opportunity, with information about what happened, what we are doing about it, and your right to complain to the Ontario IPC;
Notify the Information and Privacy Commissioner of Ontario where required by PHIPA (including, without limitation, where the breach involves theft, unauthorised use by a person with deliberate intent, a pattern of similar incidents, or where notification to the IPC is otherwise mandated);
Take steps to prevent recurrence (training, policy or system changes); and
Document the breach and our response in our internal breach register.

If you suspect a breach involving your information, please contact our Privacy Contact immediately (phone preferred, then follow up by email).

9. Your rights — access, correction, withdrawal

Right to access your records

You (or your Substitute Decision Maker) have the right to request a copy of your personal health information. To make a request, contact our Privacy Contact in writing. We will respond within 30 days of your request, as required by PHIPA. We may extend by up to 30 additional days where the records are voluminous or require consultation. We may charge a reasonable fee, capped per IPC guidance, but will tell you about any fee before we charge it. We may refuse access only in narrow circumstances permitted by PHIPA and will explain our reasons in writing.

Right to correct your records

If you believe information in your records is inaccurate or incomplete for the purposes for which we use it, you can ask us to correct it. We will respond within 30 days. If we agree, we will correct the record. If we disagree, we will note your statement of disagreement on the record.

Right to withdraw or limit consent

You can withdraw consent for the use or disclosure of your personal health information, in whole or in part. See section 4 above.

Right to know who has accessed your records

You can ask for a list of agents who have accessed your records and we will provide it from our audit log within 30 days.

10. Our staff and contractors

Every caregiver, nurse, office staff member, and contractor working for Filipino Homecare:

Signs a written Staff Confidentiality Agreement that incorporates PHIPA obligations, before being given any access to client information;
Completes PHIPA training before first client access and acknowledges in writing that they understand and will comply;
Is bound by our Records Handling Policy and Breach Response Plan;
Has access only to the records of clients they are assigned to (need-to-know);
Is subject to access auditing (we record who opens what record and when);
Is subject to discipline up to and including termination, plus reporting to the IPC and law enforcement where appropriate, for any violation.

11. Website & cookies

This website (filipinohomecare.ca) collects only basic information needed to operate it:

Standard server logs (IP address, browser, pages visited, timestamps), used for security and to fix problems
Anonymous analytics to count visits and improve content
Information you provide if you contact us through a form (name, email, message)

We do not collect personal health information through this public website. Care-related information is collected through our intake process (in person, by phone, or with a signed Care Plan and Contract).

12. Complaints to the Ontario IPC

If you have a privacy concern that we have not been able to resolve, you have the right to file a complaint with the Information and Privacy Commissioner of Ontario:

Information and Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400, Toronto, ON M4W 1A8
Phone: 1-800-387-0073
Website: www.ipc.on.ca
Email: info@ipc.on.ca

You do not have to go through us first — but we ask that you give us a chance to resolve concerns directly, since most issues can be addressed quickly.

13. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, the law, or our services. The "Last updated" date at the top of this page shows the most recent revision. Material changes will be communicated to active clients in writing. Older versions of this Policy are available on request to our Privacy Contact.

This Policy is provided for clarity. It is not a substitute for legal advice. PHIPA, the regulations under it, and IPC orders, decisions, and guidance govern in case of any conflict.

Contents