Our Privacy Policy Compliance for Medical Aesthetics & Cosmetic Boutique (MA&CB)

• PRIVACY

• PRIVACY COMPLIANCE FOR CLINICS IN ONTARIO

Last Updated January 6, 2026 (Still Under Construction):

This privacy policy describes our policies and procedures on the collection, use, and disclosure of your information when you complete any medical aesthetic non-surgical procedures and explains your privacy rights and how the law protects our clients. We will use your personal data to provide & improve our services, and by completing services provided by our business, you agree to the collection and use of information in accordance with this privacy policy. This privacy policy has been created with the help of privacy policy generated by AI.

Interpretation & Definitions for the Purposes of MA&CB Privacy Compliance:

Interpretation:

The words in which the initial letter is capitalized will have meanings defined under the following conditions & the following definition will have the same meaning regardless whether they are in singular or plural form.

Definitions:

Account: Means that there is a unique account created for each individual client for clients to access our services or parts of our services.

Affiliate: Means an entity that controls, or is controlled by, or is in common control with a party, where “control” means all professionals with ownership, or participation in services of the shares, equity, interest, or any other securities entitled to be a part of any managing authority (eg. Business Owner, CEO, Manager, Supervisor, Sole-proprietor, Associates, & Third-Party Associates).

Company: (Referred to “The Company/Business", “We,” “Us,” “Our,” in this agreement) refers to Medical Aesthetics& Cosmetic Boutique (MA&CB).

Location(s), City, Country: Refers to the address of Business, City of Business, Country of Business.

Device: Means any device that can access services such as a computer, cell phone, or any digital device or tablet.

Client: “You,” means the individual assessing or using the service, or the company, or any other legal entity on behalf of which the individual is assessing or using the service as applicable.

Personal data: Is any information that relates to an identified or identifiable individual (eg. individual, person, client, patient).

Personal Health Information (PHI): Is Canada's federal privacy law for the private sector, setting rules for how businesses collect, use, and disclose personal information during commercial activities, emphasizing consent and fair handling, and applying to federally regulated sectors like banking, telecom, and transportation. This includes organizations in other states or provinces without substantially similar laws. It is also overseen by the Office of Privacy Commissioner of Canada (OPC) which is guided by 10 fair information principles. These principles include accountability, identifying purposes, consent, accuracy, security safeguards, limiting collection, use, disclosure, and retention.  

PHIPPA: PHIPA stands for the Personal Health Information Protection Act, Ontario, Canada's specific law governing how health care providers and organizations (called "custodians") collect, use, and share your personal health information (PHI). It ensures your right to control your health data, defining what PHI includes (like health history, health card numbers, care records) and outlining rules for its security, access, and disclosure, with strict penalties for breaches. In Ontario, Canada, these laws govern health info (including aesthetic records if health-aesthetic-related).

Health Insurance Portability and Accountability Act (HIPPA): A U.S. federal law setting national standards that protects sensitive patient/personal health information from being disclosed without the patient's consent. This establishes rules for healthcare providers on how to manage, transmit, and secure this data. In Ontario, Canada, these laws govern health info (including aesthetic records if health-aesthetic-related).

Personal Information and Protection Documentations Act (PIPEDA): Is Canada's federal privacy law for the private sector, setting rules for how businesses collect, use, and disclose personal information during commercial activities, emphasizing consent and fair handling in addition to applying to federally regulated sectors like banking, telecom, and transportation. This also applies to organizations in provinces and states without substantially similar laws. PIPEDA is overseen by the Office of the Privacy Commissioner of Canada (OPC) and is guided by 10 fair information principles, including accountability, consent, accuracy, security safeguards, identifying purposes, and limiting use, collection, disclosure, and retention. 

Service: Refers to the website and booking apps, or any other platform.

Service provider: Means any natural or professionally licensed legal individual who processes any data on behalf of the company. It refers to third-party companies/associates or individuals employed by the company or working in collaboration with the company to facilitate the service, or to provide any service specified by the company or that the company offers. To perform services related to the service or to assist the company on how the service is completed or used.

Website: Refers to Medical Aesthetics & Cosmetic Boutique (MA&CB) https://www.medicalaestheticscosmeticsboutique.com/

Website Provider: This is a “web host,” or a company (eg. Squarespace) that offers space on powerful, internet-connected servers to store your website's files and make them accessible to users globally.

Booking app: Refers to Aesthetic Record (AR) third-party booking app to book services provided by the company which collects personal data for each service completed using HIPPA/PHIPPA approved applications to book services and keep client information confidential https://bdisy.myaestheticrecord.com

Collecting, Using & Personal Data Sharing:

Personal Data:

While clients use our service, we have various professional specialties & licensed health care professional, and this also includes any professional working with the company may be required to ask individuals to provide personally identifiable information that is used to contact or identify each individual independently. Personal identifiable information include the following:

1. Email address

2. First & Last name

3. Mobile/telephone contact information

4. Address, city, province, country, and/or postal code

5. Personal, Aesthetic, & Medical history information

Using Data:

Clients provide personal identifiable information and some data can be collected verbally, or non-verbally, this also refers to any data collected automatically, either generated by use of the service, or from the service infrastructure itself, through our Company website, booking app, and/or any media platform including social media.

Data Sharing:

No personal identifiable data is shared with any 3rd parties for promotional or marketing purposes.

Mobile opt-in and consent are never shared with anyone or any business other than the business you are opting-in to receive information from for any purpose. Any information sharing that may be mentioned elsewhere in this policy excludes mobile opt-in data.

Messaging Terms and Conditions:

By providing your phone number and agreeing to receive texts, you consent to receive text messages from MA&CB, from 226-605-5267 regarding account notification, customer care, delivery notification, and our marketing (not other marketing from a separate entity). Consent is not a condition of purchase. Message frequency varies. Message & data rates may apply. You can reply STOP to unsubscribe at any time or HELP for assistance. You can also contact us at 226-605-5267 or macb.np.2020@gmail.com Mobile opt-in information is never shared with third parties.Ontario has passed provincial legislation specifically regarding the privacy of Personal Health Information (PHI) and is substantially similar to federal law, and there are many details clinics need to keep in mind and actions they need to take to become compliant.

How Does SquareSpace Protect MA&CB Website for Our Business & Our Customers?

It is absolutely necessary for OUR businesses to protect our clients personal data and personal health information (PHI). MA&CB has provided a list below on how our website provider Squarespace continuously protects our business and clients. We ALWAYS make sure our personal and health information is protected, and we ALWAYS make sure our business, and third-party companies/associates are following provincial and federal laws.

Protects Client’s Websites with Automatic SSL certificates

Which is a digital file that verifies a website's identity and enables encrypted connections, securing data between a user's browser and the website's server

Protects Client’s Websites with Web Application Firewall (WAF)

Which is a security tool that protects web applications by filtering, monitoring, and blocking malicious HTTP/S traffic between the internet and the application

Protects Client’s Websites with Data Encryption (TLS)

This secures internet communications by encrypting data sent between a user's browser and a website's server, preventing eavesdropping and tampering, ensuring privacy, integrity, and authentication, primarily through the use of digital certificates and a handshake process to establish a secure connection (HTTPS)

Protects Client’s Using Features such as HSTs

This stops attackers from forcing a connection from HTTPS down to insecure HTTP, removes the need for slow HTTP to HTTPS redirects, improving performance and security, makes it impossible for attackers to intercept cookies or data by forcing all communication over HTTPS, prevents users from clicking through security warnings for invalid certificates, forcing them to trust only secure connections, and protection kicks in after the first visit when the browser receives the HSTS header and then applies permanently.

Protects Using General Data Protection Regulation (GDPR)

Squarespace also takes a continuously evolving approach to GDPR to ensure that it’s always up to date working diligently to ensure preparation meets the demands of GDPR as a company and for ALL customers. This includes efforts that include reviewing how they store and use data about customers and on MA&CB’s behalf, and their are editing tools post MA&CB’s legal terms or privacy policies for our business website.

Cookies

Squarespace uses cookies to help our business website run effectively and to help the website provide the best experience for our visitors. They also use cookies on squarespace.com across their web and mobile apps to operate and secure their services, and customize every experience.

In addition, Squarespace offers strong account security (2FA) and private page/site password protection safeguarding data and limiting unauthorized access for visitors and owners alike. You will be able to find how squarespace protects and processes our data at the link provided below.

https://www.squarespace.com/data-privacy#:~:text=SSL%20prevents%20hackers%20from%20impersonating,protected%20with%20free%20SSL%20certificates

How MA&CB Aesthetic Record Booking App is Protected:

Our booking app protection is very similar to our security precautions for our website. We make sure to ALWAYS protect our clients personal data and PHI. MA&CB has provided links below outlining ways Aesthetic Record (AR) booking app protect our business and our clients. We ALWAYS make sure ALL information that is collected via our booking app is safely stored, and prior to choosing our third-party associates, we make sure that compliance is up to date with the requirements by provincial and federal laws are ALWAYS monitored and protected.

MA&CB has chosen Aesthetic Record (AR) booking app. This is an American based app, however, this app follows HIPPA compliance. As mentioned in the definitions and provided information in this privacy policy, both HIPPA and PHIPA protect personal and health information following strict regulations. HIPPA actually applies nationwide in the U.S. with stricter breach notification (60 days), and Business Associate Agreements (BAAs). Both HIPPA and PHIPPA emphasize patient consent (implied/written) for data use, strict Electronic Health Record (EHR) security, and IPC notification for breaches which both aim to secure sensitive health info but through different regulatory frameworks. Yes, AR is utilized in Canada by Canadian healthcare professionals and practitioners ensuring compliance with PIPEDA/HIPPA (more information below on PIPEDA), handling ePrescribing, and streamlining clinic operations. AR is actually a popular choice for medical spas and aesthetic clinics because it offers robust documentation features, photo management, and marketing tools while helping meet evolving provincial regulations for healthcare documentation. Below are links to HIPPA terms, BAAs, and terms of service:

https://app.aestheticrecord.com/settings/hipaa-terms-of-use

Business Associate Agreement (Accepted on : Medical Aesthetics & Cosmetic Boutique 06/06/2025)

Terms of Service (Accepted on : Medical Aesthetics & Cosmetic Boutique 06/06/2025)

Tax Free Status

Guidelines for PHIPA are different for every Province

Privacy will depend on the Province. Since MA&CB is located in Ontario, our clinic is required to follow the Ontario guidelines. The link below provides our clients with details regarding PHIPA recommended guidelines under PIPEDA.

https://www.ipc.on.ca/sites/default/files/legacy/Resources/hguide-e.pdf    

PHIPA Requirements Regarding Use & Disclosure of Collection Data for Medical Spas in Ontario

MA&CB follows a set of principles when we collect and/or disclose information regarding PHI. The following information is regarding the use, disclosure, and collection of data required by PHIPA:

1. Our business only collect, use or disclose PHI if the individual consents and signs consent documentation, or if required by PHIPA.

2. Our business will not collect, use or disclose PHI if other information will serve the purpose.

3. Our business will not collect, use or disclose more PHI than necessary to meet specific purposes.

4. If our business is interested in marketing progress with treatment, we are required expressed consent and/or consent that can be proven by use of signed documentation.

5. Our business can request and/or ask for consent to collect, use or disclose information for fundraising purposes, and if you limit information to name and mailing address and you provide an easy way to opt out, you may assume implied consent.

6. Our business collects PHI directly from the individual unless otherwise impossible, and if we must collect PHI indirectly, we will consult PHIPA on acceptable reasons and parameters.

Understanding Key Terms Regarding Personal Health Information Protection Act (PHIPA)

It is VERY important to understand the definition of a health information custodian (HIC) and the provisions of what that health care, medical care, and/or medical spa clinic includes. In addition, alternate businesses that individuals may consider or are considered as “beauty spa’s,” and/or any other business pertaining to beauty (eg. lashes, nails, waxing) that work in the same facility are not considered HIC’s, but are considered agents which are individuals authorized by HIC’s to perform services involving PHI on their behalf. So, PHIPA compliance extends to employees, contractors, and any other service provider as part of their contract with HIC. In the contrary, if other businesses work at the same location, but hold different business titles, and names, they would be required to follow regulations pertaining to their infrastructure separately. Definitions for HIC’s and agents are provided in detail below.

Definition of a Aesthetic Medi Spa, Medical Spa, or Med Spa:

An Aesthetic Medi Spa, Medical Spa, and/or Med Spa is considered to be a hybrid facility which combines a relaxing environment of a traditional day spa including advanced practices such as non-surgical medical aesthetic procedures that you would occur at a licensed registered health care professionals clinic such as a Dermatologist. If the business is owned by a Registered Practical Nurse (RPN), Registered Nurse (RN), and/or a Respiratory Therapist, these health care professionals MUST be under the medical directive of a Nurse Practitioner (NP), Physician (MD), Dermatologist, and/or a Surgeon with the appropriate certifications to complete those services that are included in a mutual medical directive. Medical oversight must be included for all non-surgical medical aesthetic procedures.

What to Know About Privacy Policy Laws for Health Records in Ontario

Private-sector businesses such a MA&CB which conduct any commercial transactions in Ontario, and including all disciplines of allied health clinics such as a medical spa and/or solo practitioners must handle personal information in accordance with Ontario’s privacy legislation which is under the Personal Health Information Protection Act (PHIPA). This is because PHIPA has been deemed “Substantially Similar” to the federal privacy law which is stated under the Personal Information Protection and Electronic Document Act (PIPEDA). Therefore, in most cases PHIPA Ontario is used in place of Canada’s federal law where health records are concerned. The law applies to “All” allied health clinics delivering privacy policies are governed by PHIPA and require explicit consent for collecting, using, and sharing PHI, limiting data use to stated purposes (like treatment), ensuring secure storage, and granting clients to access and/or to correct their data, with specific rules for online information versus electronic medical records (EMR). Medi spas must state what information is collected (health hx, contact, payment), and how it’s protected.

Personal Health Information Protection Act (PHIPA).

Personal Information Protection and Electronic Document Act (PIPEDA).

The link below provides an overview of the Federal Law in Canada for allied health businesses in Canada. In some cases, clinics and medical spas directly apply these Federal Laws, but many electronic medical record (EMR) users across Canada check at the Provincial level first. MA&CB has also provided information above regarding how Aesthetic Record (AR) Booking App uses protection for PHI for our business and our clients.

https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/ .

What is Personal Health Information (PHI)?

In Ontario, PHI includes any and all information related to the provision of healthcare with any individuals physiological, physical, and emotional/mental health that is provided by any individual orally, written, virtually, EMR, or by any recorded form. It is extremely important for any health related business to provide individuals with sufficient knowledge and education, and to implement these provisions within their individual privacy policies that are attached to any website, booking app, and/or verbally during in-person appointments so individuals understand what PHI is governed and protected under PHIPA. The following PHI includes:

1. Personal & family history (eg. health aesthetic questionnaires)

2. Personal identification information (eg. email, and phone number)

3. Plans of service (eg. dermal filler treatment)

4. Payment information (eg. POS systems)

5. Eligibility for health care and/or services provided by MA&CB (eg. Insurance coverage for migraine headaches)

6. Information regarding body parts or substances (eg. Platelet-rich-plasma Therapy)

7. Health Card Numbers (eg. for publicly covered services for acne treatment)

8. Information that can identify the individual or a substitute decision maker who acts on the individual’s behalf.

Access to Personal Health Information for Clients:

The rights to access PHI is followed under the limitations under PHIPA no matter what website, electronic medical records (EMRs), and/or booking apps are used by the business for clients. The right of access applies only to records that are dedicated to one individual. If a record is about more than one individual, only the portion of the record about that individual may be granted. Right of access does not apply to quality of care information, quality assurance information, raw data from psychological tests and assessments or other types of specified information. Certain legal privileges, laws, proceedings, inspections, and investigations may restrict disclosure in some cases. Right of access does not apply if disclosure would result in serious harm to any person.

Who is a Health Information Custodian in Ontario?

PHIPPA law applies to “ALL” health information custodians. A health information custodian is a person that provides health care to individuals and has custody or control of their PHI. Health information custodians include health care practitioners who are members of a regulated health care profession (eg. College of Nurses of Ontario) including allied health clinics delivering health care services and practitioners whose primary function is to provide a health care service for payment regardless of whether the services are publicly funded or not to customers, clients, and/or patients. In a medical spa, a professionally licensed registered professional completes medical aesthetic non-surgical treatments, or facial and/or skin treatments for payment is considered a health information custodian. This includes the following:

1. Registered Practical Nurse (RPN)

2. Registered Nurse (RN)

3. Nurse Practitioner (NP)

4. Physicians (MD)

5. Dermatologists

6. Plastic Surgeons

Who is an Agent in Ontario?

A custodian may authorize an agent to collect, use, retain, disclose or dispose of personal health information (PHI) for them, or on their behalf. Agents have certain responsibilities of their own under PHIPA. It is important to know custodians are accountable for the actions of their agents even if the agent does not have authority to bind the custodian, is employed by the custodian or is being remunerated. Agents are often full-time or part-time employees but may also be contractors, or volunteers. On the contrary, if the employees job does not involve working with PHI on behalf of the custodian, they are NOT considered to be agents. Throughout this privacy, we will use the term employees to refer to any staff, contractors, or volunteers. The term agent will be used specifically for team members who handle PHI on the custodian’s behalf.

Medical Aesthetic Treatments at MA&CB

In addition, medical and/or aesthetic non-surgical, and/or health care treatments include the following:

1. Neuromodulators (eg. Botox, Dysport, Nucevia, Xeomin)

2. Dermal Fillers (eg. Revanesse)

3. Platelet-Rich-Plasma (PRP) (eg. skin rejuvenation, and/or hair restoration)

4. Collagen Induction Therapy (CIT) (eg. microneedling)

5. Intravenous Vitamin Infusions (eg. Myers Cocktail)

6. B12 Injections

7. Chemical Peels (eg. PCA chemical peels)

8. Hydro-jelly Facials (eg. Esthemax hydro-jelly masks)

So, as regulated licensed healthcare professionals, and/or certified estheticians, we are required to determine if the treatment/procedures/service that individuals are requesting for a scheduled appointment are appropriate and safe to complete by gathering specific personal health care information (eg. Aesthetic & Health Questionnaires) in order to proceed, and we are accountable for ensuring compliance with PHIPA regulations.

Actions that MA&CB Follows for Compliance with PHIPA

The following is a list of items that MA&CB continuously makes sure are completed by all professional and registered licensed staff to stay up-to-date with PHIPA Compliance:

1. Keep up-to-date health records

2. Keep records secure

3. Store records for appropriate time frames

4. Create Breach Procedures

5. Appoint a Privacy Contact Person

6. Publish Privacy Practices

7. Consider Appointing an Agent/Handler

8. Obtain Consent

9. Provide Access to PHI ( MA&CB requests individuals to have access to their PHI within 30 days of a request made orally or in writing).

Consent under PHIPA

PHIPA Ontario’s general principles state that clinics need either expressed or implied consent to collect, use and disclose PHI. The specifics of when you need express consent or when implied consent is OK are highly strict under PHIPA. Let’s review the differences for healthcare law: 

Implied consent: Permission for aesthetic, medical, or any other service or treatment that is required by a healthcare professional that is not explicitly stated (verbally or in writing) but is inferred from a person's actions, behaviour, or the surrounding circumstances. Usually used for routine, low-risk, or non-invasive procedures where the patients cooperation suggest an agreement.

Key Aspects of Implied Consent

Inferred from Conduct: Consent is understood from what an individual does (or does not do) in a specific situation. For example if a patient schedules an appointment, attends the appointment, and sits on the procedure chair, or rolls up their sleeve for a blood draw (ex. PRP) implies consent for those specific services/treatments, and/or procedures.

Routine and Low-Risk: Implied consent is sufficient for non-invasive treatments such as non-surgical injections that carry little or no appreciable risk of harm.

Emergency Situations: In life-threatening emergencies where a patient is unconscious or unable to communicate, consent for necessary, life-saving treatment is legally presumed or "assumed implied". The law assumes the person would consent to treatment to preserve life or prevent serious harm during any scheduled service time for that service/treatment/procedure. this also includes if a client does provide their full personal/health history and the healthcare professional completed questionnaires signed by that individual that were not honest and puts the healthcare professional in the situation to complete life-saving treatments.

Patient Autonomy: Patients can withdraw implied consent at any time. If a patient expresses refusal or discomfort, healthcare providers must stop the procedure unless a critical emergency requires immediate action.

Informed Basis: Although not formally documented with a signature, valid implied consent still requires the patient to be reasonably informed about the general nature of the procedure (this is explained on the website and in person during scheduled appointments) and understand they have the option to refuse. 

Overall, implied consent is a practical and necessary part of everyday healthcare operations, but it relies on clear communication and reasonable assumptions based on patient behaviour within the established context of care. 

Definition of Implied Consent: The permission for an action can be assumed based on the circumstance and related information. When PHI disclosure is for the purpose of providing further health care and/or aesthetic procedures. For example, if a healthcare professional is disclosing PHI when referring care to another practitioner - consent can be implied.

Definition of Express Consent - This is the act of an individual expressly giving permission for an action. When PHI disclosure is for any other purpose not related to the service/treatment/procedure, extending health care services, consent must be expressed.

Although, consent is NOT required for collection, use and disclosure when the clinic/practitioner believes based on reasonable grounds for collection, use or disclosure is necessary to eliminate or reduce a significant risk of bodily harm to one or more persons.

The following are also other very specific exceptions to consent regulations:

It’s OK to USE PHI without consent when:

Using the information for the purpose for which it was already collected

If it is required by law to disclose it

If it is used for risk/error management or to improve the quality of care

When educating agents who provide health care (eg. providing education for students in educational situations with the permission of the consenting individual)

For purposes involving the disposing of or modifying the information to conceal the identity of the individual

When the purpose is to obtain consent for a legal proceeding, obtaining payment for healthcare, for research (subject to certain conditions), or if permitted and/or required by law.

MA&CB ALWAYS refers to PHIPA Ontario for details if any of these situations applies to our employees, healthcare professional team, and our clinic.

It’s OK to DISCLOSE PHI without consent when:

When an individual has provided religious affiliation, consent may be implied to disclose an individual’s name and the name and location in the health care facility to a religious representative.

When a healthcare professional at MA&CB is completing procedures that require a pharmacist may disclose PHI to a third party who is being asked to provide payment for medication or related goods (ex. insurance plans that cover B12, Infusion Therapy, and/or Botox for Migraines)

When disclosure is to provide further health care for another reason other than the scope of practice at MA&CB

When disclosure is related to a deceased individual

To mitigate risks (exercise good judgement in determining what is a significant or any risk and is in the best interest of the client/customer/patient.

If required for proceedings

If and when PHI is given to a successor

If research is approved by the ethics board

To monitor health care payments

To analyze the health care system

If disclosure has been otherwise approved by the Commissioner.

Please refer to PHIPA Ontario for further details if any of these situations applies to you or your clinic.

When is consent on behalf of another reasonable?

If an individual may authorize another person to act on his or her behalf.

If a parent may consent on behalf of a child who is less than 16 years of age (this will not occur for aesthetic procedures such as neuromodulators, dermal fillers, collagen induction therapy, and/or PRP).

If a substitute decision maker may consent on behalf of an individual who is incapable of consent (this will NOT OCCUR for aesthetic procedures).

If an estate trustee or administrative person may provide consent for a deceased person.

If a person who is required by law to act on behalf of another person may provide consent for that individual.

This information is not legal interpretation of the law, it is NOT binding on the Office of the Information and Privacy Commissioner of Ontario (IPO). This information is not intended to and should never replace formal legal counsel.