Privacy Policy

Our Commitment to You

At Little Mouths, here is our commitment to you and your child:

Consent first: We will never gather or disclose any of you or your child’s personal information without obtaining the consent of the child’s substitute decision-maker. As parents and legal guardians, you act as substitute decision-makers for your children regarding their health information.

Transparency: Any information collected comes from sources such as parents/legal caregivers/substitute decision-makers, previous healthcare providers (if explicit consent is provided by substitute decision-makers), any shared medical reports, and information collected during the process of assessment and treatment of your child. Little Mouths aims to be transparent in how we manage and store you and your child’s private information.

Minimum Amount Required: We will collect as little information as is required to accurately provide services to you and your child, as well as to meet the standards outlined by the College of Audiologists and Speech-Language Pathologists of Ontario. Little Mouths will not collect, use, or disclose personal health information if the information already on hand is sufficient to meet the purpose of service provision to your child.

Data Minimization: Little Mouths will actively review any data to make sure that it is not being held onto longer than necessary. See section on Data Storage for additional information on where your information is stored and for how long.

Accountability: Little Mouths takes full responsibility for protecting the PHI in our custody and ensuring that any agents (staff or contractors) also follow these rules.

Proactive Risk Management: Little Mouths will work to identify and mitigate privacy and security risks before they happen, such as through Privacy Impact Assessments when starting a new service or technology.

Individual Rights: Little Mouths will honour your rights to access your records, request corrections (See Right of Access and Right of Correction below), and be notified in the event of a privacy breach.

We also promise the following:

Staff Training: Little Mouths ensures that all its staff maintain up-to-date privacy training. Staff will have to sign annual confidentiality agreements attesting to their commitment to these privacy rules.

Physical Safeguards: All physical paper records are kept in a locked filing cabinet and only taken out when needed. The locked filing cabinet is located in a low-traffic area and only staff have access to the keys to the cabinet.

Digital Safeguards: Our website uses HTTPS encryption, meaning information is scrambled while traveling from your browser to our server. Data stored in Google Workspace is encrypted "at rest." Access to your data is restricted to Andrée-Anne Morrissey (therapist/owner of Little Mouths) via Two-Factor Authentication (2FA). We do not share these files with any unauthorized third parties. As for Jane, the Privacy Officer at Little Mouths, Andrée-Anne Morrissey, maintains and regularly reviews system access logs to detect any unauthorized access to files.

Breach Protocol: In the unlikely event of a privacy breach (e.g. loss, theft, or unauthorized access), a procedure is put in place to make sure that any and all affected individuals are notified. The Privacy Officer will notify you at the first reasonable opportunity in the event of a breach.

What Information we Collect

Personal Health Information includes your demographic information such as: name, address, telephone number, and family; past, present, or future information about your physical or mental health or condition; and information about the services provided to you, including payment information, if any of that information may be used to identify you.

Uses of Personal Health Information

We use your personal health information for the following reasons:

1. To provide treatment for children and their families
2. To collect payment for assessment and treatment
3. To conduct risk assessments
4. To conduct quality improvement activities, such as sending satisfaction surveys
5. To educate students
6. To complete data quality and analysis
7. To comply with legal and regulatory requirements
8. To fulfill other purposes permitted or required by law

Storage of Information

Initial inquiries (while booking a consultation) are temporarily stored in an encrypted Google Sheet. We use a Google Workspace Business account, which includes a Business Associate Agreement (BAA) and enterprise-grade security to meet Ontario’s PHIPA requirements. Once you become a client, your records are moved to Jane, our primary practice management platform. Jane is a PHIPA-compliant platform with data stored on secure Canadian servers. Here are Jane’s Privacy Policy and Terms and Conditions, which Little Mouths has agreed to abide by to keep your information safe. If you have additional questions about how Jane stores your information, you may be able to find it on Jane’s Protecting Patient Data page.

Information stored in the Google Workspace, stored when a client requests a free consultation, is deleted after 6 months if no services are initiated. If you become a client, your data is transferred to Jane, and the temporary record in Google Sheets is removed. Once the information is in Jane, Little Mouths must follow the Records Regulations (2015) set out by the College of Audiologists and Speech-Language Pathologists of Ontario. Information, including PHI and financial information (e.g. invoices, receipts) must be stored for 10 years after a client’s 18th birthday or 10 years after the last date of services, which ever is later.

Right of Access and Right of Correction

As a legal caregiver, you have two rights: Right of Access and Right of Correction.

Right of Access: At any time, you may ask to see the data that is stored in your child’s file. The right of access is subject to certain exceptions (e.g., if access would result in a risk of serious bodily harm to the individual or another person). We will respond to your request within 30 days. If meeting this request for information interferes with the clinician’s/organization’s daily operations and cannot be met within 30 days, the healthcare provider may need to extend the deadline by an additional 30 days; however, the healthcare provider must provide the family with a document detailing length of the extension and the reason for the extension.

Right of Correction: If you believe there is a mistake in the child’s file, you can request a correction be made. PHIPA notes that the clinician may not always agree with a requested correction. If the clinician refuses a correction, the parent has the right to attach a "Statement of Disagreement" to the record.

Right to Refuse or Withdraw Consent

As your child’s substitute decision-maker, you have the right to refuse or withdraw consent for the collection, use, or disclosure of your child's health information (subject to legal exceptions, see below). For questions regarding our privacy practices, or to withdraw your consent, please contact our designated Privacy Officer:

Name: Andrée-Anne Morrissey
Email: andree-anne@littlemouthsspeech.ca

You may specifically withdraw consent for email communications while still consenting to other forms of contact (e.g., phone), you may wish to withdraw consent to share information with specific parties, or you may withdraw consent to assessment and/or treatment of your child. Upon receiving your request, we will stop using or sharing your information as directed. Please note that withdrawal of consent is not retroactive; it does not apply to information that has already been used or disclosed (e.g., if a consultation has already occurred).

Cases where PHI may be shared without explicit consent

In some circumstances, Little Mouths may be legally bound to disclose your PHI without your consent or authorization. Provincial and federal privacy law permit or require such use or disclosure regardless of your consent or authorization in certain situations, including, but not limited to:

Regulatory College Inspections: As a health professional, Little Mouths may be legally required to allow CASLPO or other regulators to inspect the records.

Mandatory Reporting: Little Mouths may have a legal obligation to report certain information, such as cases of professional misconduct, violations of the law, or matters of public health significance to a medical officer of health. Additionally, according to The Child, Youth and Family Services Act, 2017 (CYFSA) I have a duty to report suspected abuse or neglect of a child under the age of 16 to a Children’s Aid Society or local police.

Emergencies: If you are incapacitated and require emergency treatment, I will use and disclose your PHI to ensure you receive the necessary services. I will attempt to obtain your consent as soon as practical following your treatment.

Serious Threats to Health or Safety: I may disclose your PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

Legal Proceedings: Little Mouths may not be able to withdraw consent for the collection, use, or disclosure of client information in certain legal circumstances. Little Mouths will only disclose the client’s PHI in the course of any judicial or administrative proceeding in response to a court order expressly directing disclosure, or in accordance with specific statutory obligation compelling me to do so.

Privacy Officer and Filing a Complaint

I, Andrée-Anne Morrissey, am the designated Privacy Officer for Little Mouths. I make sure that Little Mouths follows Ontario’s Personal Health Information Protection Act (PHIPA) to ensure that your information is kept secure. Your child’s Personal Health Information (PHI) as well as financial information (billing/payment) is also handled under these same privacy protections. Any access or correction requests should be sent to me. If you have any questions or concerns about how your child’s private information is stored, you can contact Andrée-Anne Morrissey at andree-anne@littlemouthsspeech.ca.

If you are not satisfied with our response to a privacy concern or a request for access/correction, you have the right to complain to the Information and Privacy Commissioner of Ontario. You can lodge a complaint with the Information and Privacy Commissioner of Ontario by visiting their website at www.ipc.on.ca and filling out the appropriate form. You can also e-mail the appropriate form to complaints@ipc.on.ca or IPCComplaints@ipc.on.ca. You can also reach the IPC by phone at 416-326-3333 or toll-free at 1-800-387-0073. Finally, you can mail them at:

Information and Privacy Commissioner of Ontario, Attn: Registrar
2 Bloor Street East, Suite 1400
Toronto, ON
M4W 1A8