Privacy Policy

Lantern Psychiatry (“Lantern Psychiatry,” “we,” “us,” or “our”) provides outpatient psychiatric assessment and treatment services in Nova Scotia, Canada. We know you are entrusting us with highly sensitive information. This Privacy Policy explains how we collect, use, disclose, and protect your personal information—including personal health information—when you interact with us online (e.g., LanternPsychiatry.com), by phone, in person, or via telehealth (including Zoom for Healthcare).

Table of Contents

  1. Plain‑Language Summary

  2. Scope

  3. Roles & Who This Policy Covers

  4. Definitions: Personal Information & Personal Health Information

  5. What Is Not Personal Information

  6. Minors & Substitute Decision‑Makers

  7. Consent

  8. What We Collect & How We Use It

  9. Telehealth via Zoom for Healthcare (including Recording)

  10. Cookies & Similar Technologies (Website)

  11. Analytics

  12. De‑Identified & Anonymized Information

  13. Artificial Intelligence & Machine Learning

  14. How We Share Information

  15. Safeguards & Retention

  16. Where Information Is Stored & Processed

  17. Your Privacy Rights

  18. Third‑Party Links

  19. Changes to This Policy

  20. Contact Us

1) Plain‑Language Summary

  • We are your health information custodian. We collect and use only what we need to provide care, operate our clinic, improve quality, and meet legal requirements.

  • You control consent. We rely on your consent to collect, use, and disclose personal health information, subject to limits in law.

  • Telehealth & recording. We use Zoom for Healthcare for secure teleconferencing. With your explicit consent, some sessions may be recorded for quality assurance, education, and systems improvement. Refusing or withdrawing consent will not affect your access to care.

  • We don’t sell data. We never trade, rent, or sell your personal information.

  • Security. We apply administrative, technical, and physical safeguards appropriate to the sensitivity of the information. Personal health information in our custody is stored in Canada.

  • Your rights. You may request access or corrections, set communication preferences, and withdraw consent (prospectively). See Section 17.

2) Scope

This Policy covers personal information we handle in connection with:

  • clinical services delivered by Lantern Psychiatry;

  • our website (LanternPsychiatry.com) and any patient forms or portals we operate;

  • telephone, email, and SMS communications you exchange with us; and

  • telehealth, including sessions conducted via Zoom for Healthcare.

This Policy is designed in accordance with Nova Scotia’s Personal Health Information Act (PHIA) and applicable Canadian privacy law (e.g., PIPEDA, where engaged). References to “personal information” include “personal health information,” unless stated otherwise.

3) Roles & Who This Policy Covers

This Policy applies to:

  • Patients receiving care from Lantern Psychiatry;

  • Patient representatives (e.g., parents/guardians, substitute decision‑makers);

  • Clinicians and staff working for Lantern Psychiatry; and

  • Visitors to our website.

Lantern Psychiatry acts as a custodian of personal health information under PHIA for the services we deliver.

4) Definitions: Personal Information & Personal Health Information

  • Personal information: Information about an identifiable individual, or that could reasonably identify an individual, alone or in combination with other information.

  • Personal health information (PHI) (general definition under PHIA): Identifying information about an individual’s physical or mental health, health services provided, health card number, health‑care provider(s), substitute decision‑maker(s), and related payment/eligibility information.

5) What Is Not Personal Information

  • Business contact information used to communicate with a person in their professional role (e.g., work title, work email, work address) is not personal information under PHIA.

  • Anonymized information: Data permanently stripped of personal identifiers so that re‑identification is not reasonably possible. We may generate and use anonymized statistics (see Section 12).

6) Minors & Substitute Decision‑Makers

We may collect and use PHI about minors where:

  • the minor is capable of consenting to their own care and privacy decisions; or

  • a parent/guardian or substitute decision‑maker provides consent, in accordance with law.

If you believe a minor’s PHI was provided without appropriate capacity or authority, please contact us (Section 20).

7) Consent

We obtain your consent for the collection, use, and disclosure of PHI, except where law permits or requires otherwise (e.g., risk of serious harm, court order). Consent may be implied (e.g., when you book and attend an appointment) or express (e.g., signing a form). You may withdraw consent at any time, subject to legal/contractual limits and reasonable notice. Withdrawal does not apply retroactively.

8) What We Collect & How We Use It

Identity & contact (name, DOB, address, phone, email) — to register you, communicate about care, verify identity, schedule appointments, and manage billing/insurance.

Clinical information (history, assessments, diagnoses, medications, treatment plans, notes, referrals, test results) — to provide and coordinate care, manage quality and safety, and meet legal documentation standards.

Telehealth information (meeting metadata, device/IP info, connection quality) — to deliver secure teleconferencing and troubleshoot technical issues (see Section 9).

Email/SMS preferences — to send appointment reminders or administrative messages. You can opt out of non‑essential messages.

Payments & insurance (if applicable) — to process payment and claim submissions in accordance with payer rules.

Operational logs (audit/access logs, incident reports) — to protect security, investigate issues, and comply with law and College standards.

Website interactions (limited cookies/logs) — to operate the site and improve usability (Sections 10–11).

We collect information directly from you, from your authorized representatives, and from other providers involved in your care (with your consent or as permitted by law).

9) Telehealth via Zoom for Healthcare (including Recording)

We use Zoom for Healthcare for video visits. Zoom for Healthcare provides enterprise‑grade encryption and health‑sector features. During telehealth:

Recording for quality, education, and systems improvement. With your explicit, informed consent, a session may be recorded for:

  • quality assurance (e.g., supervision, peer review);

  • education (e.g., clinician training and calibration); and

  • systems improvement (e.g., workflow evaluation, safety reviews).

Key points about recording

  • Consent first. We do not record without your express consent, which will be documented (e.g., signed form or recorded consent at the start of the session).

  • No impact on care if you decline. Refusing or later withdrawing consent will not limit your access to services.

  • Notice during sessions. You will be clearly notified when recording is active.

  • Storage location. Recordings used for these purposes are stored on encrypted, clinic‑controlled storage located in Canada. We do not rely on general cloud recording for PHI.

  • Limited access. Access to recordings is restricted to authorized clinicians/quality reviewers/educators bound by confidentiality.

  • No secondary use. Recordings are not used for marketing or posted publicly.

  • Retention. Recordings are retained only as long as needed for the stated purpose and then securely deleted. Default retention: [24 months] (adjustable; see Section 15).

Zoom’s processing

Zoom processes meeting data to connect calls and maintain service reliability. Some metadata and network routing may be processed outside of Nova Scotia/Canada depending on configuration and network conditions. We use available controls to minimize unnecessary data sharing and to align with PHIA. Clinical notes belong in the EMR; the video platform is used for care delivery, not as the system of record.

If you prefer no recording or wish to withdraw consent, tell your clinician at any time (see Section 17 for rights).

10) Cookies & Similar Technologies (Website)

Our website uses only the cookies and logs necessary to operate core features (e.g., page rendering, basic security). You can set your browser to block non‑essential cookies; doing so may limit some functionality.

11) Analytics

We may use privacy‑respecting analytics to understand aggregate site usage (e.g., page load times, navigation paths) to improve accessibility and performance. We do not include PHI in analytics. IP addresses may be transiently processed for anti‑abuse and geolocation (at coarse level) but are not linked to clinical records.

12) De‑Identified & Anonymized Information

  • De‑identified information: We may remove direct identifiers and use the resulting data internally for quality improvement, safety reviews, and service planning.

  • Anonymized information: We may aggregate and irreversibly anonymize data to generate statistics (e.g., service volumes) that do not identify individuals. We do not attempt to re‑identify anonymized data.

13) Artificial Intelligence & Machine Learning

We may use carefully governed tools (e.g., dictation, transcription, or summarization aids) to assist clinicians. Our practices:

  • No automated clinical decisions. AI tools do not make treatment decisions.

  • Prefer de‑identification. Where feasible, we use de‑identified data and clinic‑controlled processing.

  • Vendor obligations. Any vendor handling PHI must meet contractual and legal safeguards consistent with PHIA.

  • Training use. We do not allow vendors to train general‑purpose models on your PHI without explicit agreement consistent with PHIA.

If we introduce new AI features materially affecting privacy, we will update this Policy and obtain any additional consents required.

14) How We Share Information

We do not sell personal information. We disclose PHI only as permitted or required by law and as necessary to provide care and operate the clinic. Typical disclosures include:

  • Care coordination with other providers/facilities, with your consent or as permitted by law;

  • Service providers (e.g., EMR hosting, secure messaging, transcription, IT/security, secure storage, billing) under contracts requiring confidentiality, minimum necessary use, and PHIA‑consistent safeguards;

  • Legal and safety purposes (e.g., court orders, reportable risks of serious harm) to the extent required or permitted by law; and

  • Business continuity events that exclude PHI unless strictly permitted by law and subject to appropriate safeguards.

15) Safeguards & Retention

We implement administrative, technical, and physical safeguards proportionate to the sensitivity of PHI, including role‑based access, encryption, audit logging, least‑privilege controls, and staff confidentiality obligations.

Retention. We retain clinical records in accordance with professional standards and legal requirements. Non‑record artifacts (e.g., QA recordings) are kept only as long as necessary: [default 24 months] unless a longer period is required for an ongoing quality review, investigation, or legal obligation. On expiry, items are securely deleted or anonymized.

16) Where Information Is Stored & Processed

  • Clinical records (PHI) in our custody are stored in Canada.

  • Certain operational services (e.g., network routing, teleconferencing metadata, email delivery) may involve processing outside Canada. In such cases, information may be subject to the laws of those jurisdictions. We select vendors and configurations with privacy and security in mind and use contractual protections consistent with PHIA.

17) Your Privacy Rights

Subject to legal limits, you may:

  • Access your PHI and request corrections to inaccuracies;

  • Set or change your communication and recording preferences;

  • Withdraw consent (prospectively) for collection, use, or disclosure not otherwise authorized by law;

  • Request an accounting of disclosures as required by law; and

  • Make a complaint to Lantern Psychiatry and/or to the Nova Scotia Information and Privacy Commissioner.

We may ask for information to verify identity before fulfilling requests. Some requests may be limited or declined where permitted by law (e.g., risk of serious harm, third‑party confidentiality).

18) Third‑Party Links

Our website may link to external sites or services. Their privacy practices are their own. Review their policies before using those services.

19) Changes to This Policy

We may update this Policy as our services, technologies, or legal requirements evolve. When we do, we will revise the “Last updated” date above and, where appropriate, provide additional notice.

20) Contact Us

Privacy Officer: Dr. Nathan Corbett

Clinic: Lantern Psychiatry

Email: admin@lanternpsychiatry.com

Phone: (902) 332‑1081

Do not include sensitive clinical details in regular email. If you need to share clinical information, ask us about secure options.

Nova Scotia (PHIA) & Canada Compliance Addendum

Effective date: October 17, 2025

Applies to: Lantern Psychiatry Professional Corporation and LanternPsychiatry.com (“Lantern Psychiatry”, “we”, “our”). This Addendum forms part of and prevails over the Privacy Policy where there is any inconsistency.

1) Governing Laws & How They Apply

  • Personal Health Information (PHI) in Nova Scotia. We are a custodian under Nova Scotia’s Personal Health Information Act (PHIA). The Government of Canada has exempted PHIA-covered custodians from Part 1 of PIPEDA for PHI handled in Nova Scotia. For PHI, PHIA governs our practices.

  • Non‑PHI & cross‑border activities. For personal information that is not PHI (e.g., website analytics, newsletter lists) and for activities outside Nova Scotia, Canada’s federal privacy law (PIPEDA) may still apply. Where both could apply, we follow the law that provides the higher protection.

2) Designated Contact Person (PHIA s.67)

We designate the following Contact Person to oversee PHIA compliance, training, access/correction requests, complaints, and inquiries about our information practices:

Contact Person: Dr. Nathan Corbett, Custodian & Privacy Officer

Email: admin@lanternpsychiatry.com

Mail: Lantern Psychiatry, PO Box 1094, Lunenburg, Nova Scotia, Canada

3) Public Statement (PHIA s.68)

This Addendum serves as our public statement describing our information practices, how to contact our Contact Person, how to request access/correction, and how to complain to the Review Officer (see Section 10).

4) Consent in Nova Scotia (PHIA)

  • We rely on knowledgeable implied consent to collect, use, and disclose PHI for care and routine operations, unless PHIA requires express consent.

  • You may limit or revoke consent at any time (sometimes called a consent directive or lockbox). We will make reasonable efforts to comply with such directives, subject to legal limits (e.g., where disclosure is required by law or to reduce serious risk).

  • A capable minor may consent or withdraw consent. Where a patient lacks capacity, a substitute decision‑maker may act on their behalf, consistent with PHIA.

5) Telehealth via Zoom for Healthcare (Virtual Care)

  • We use Zoom for Healthcare for video/teleconferencing. We follow the College of Physicians & Surgeons of Nova Scotia’s Virtual Care standard, including informed consent, platform security, and documentation.

  • Recording policy (express consent required): On occasion we may record sessions for quality improvement, education, and systems‑improvement. Recording is never required to receive care. We obtain express informed consent before recording and disclose who can access the recording, the purpose, and retention.

  • Storage & retention: Unless otherwise stated in writing at the time of consent, recordings are stored by Lantern Psychiatry in encrypted storage located in Canada and are not part of the clinical record unless used for clinical decision‑making and documented in the chart. We do not enable Zoom cloud recording by default. If an exception is necessary (e.g., a secure teaching collaboration), we will inform you of the storage location and safeguards before recording. We use role‑based access control and restrict access to authorized personnel only. Recordings are retained only as long as needed for the stated purpose and then securely destroyed.

  • Agents & cross‑border processing: Zoom acts as our agent/service provider under PHIA. Some limited metadata or routing functions may be processed outside Canada. We require contractual safeguards, confidentiality, and prompt breach reporting from all agents. Clinical notes and PHI we control remain stored in Canada unless we inform you otherwise and the law permits.

6) Record of User Activity (PHIA s.63)

For any electronic information system we use to maintain PHI (e.g., EMR), we maintain a Record of User Activity (RUA/audit trail). Upon request, we will provide your RUA within 30 days at no charge.

7) Access & Corrections (PHIA ss.71–85)

  • You have a right to access your PHI we hold. We respond as soon as possible and no later than 30 days after receiving your request.

  • You may request corrections if your PHI is inaccurate, incomplete, or not up to date; we respond within 30 days. If we decline a correction (e.g., professional opinion made in good faith), we will explain why and you may require a statement of disagreement to be appended.

  • Except for RUAs (which are free), reasonable cost‑recovery fees may apply for copies; we provide a fee estimate in advance. Physician‑to‑physician transfers for continuity of care are not charged to the patient.

8) Safeguards, Logging & Retention

  • We implement administrative, technical, and physical safeguards to protect PHI and meet PHIA requirements, including encryption, access controls, staff training, confidentiality agreements, vendor due‑diligence, and periodic audits of user activity logs.

  • Retention: We retain medical records at least 10 years from the date of the last entry; for minors, 10 years after the patient reaches 19 (or longer if required by proceedings or other laws). We destroy or anonymize data when no longer needed, using secure methods.

9) Privacy Breach Notification (PHIA ss.69–70)

  • If PHI is stolen, lost, or accessed/used/disclosed without authorization and there is potential for harm or embarrassment, we will notify you at the first reasonable opportunity and advise you of steps you can take.

  • If we conclude that individual notice is not required, we will notify the Nova Scotia Review Officer (OIPC) as soon as possible. We also require our agents to alert us promptly about any suspected or confirmed breach.

Note on PIPEDA (federal): Our non‑PHI personal information practices (e.g., website visitors, subscribers) follow PIPEDA where applicable. For PHI in Nova Scotia, PHIA governs.

Note on Updates: This Addendum will be revised if PHIA, PIPEDA, CPSNS standards, or government guidance change. The “Last Update” date above will reflect the most recent revision.

Nova Scotia (PHIA) & Canada Compliance Addendum

Effective date: October 17, 2025

Applies to: Lantern Psychiatry Professional Corporation and LanternPsychiatry.com (“Lantern Psychiatry”, “we”, “our”). This Addendum forms part of and prevails over the Privacy Policy where there is any inconsistency.

1) Governing Laws & How They Apply

  • Personal Health Information (PHI) in Nova Scotia. We are a custodian under Nova Scotia’s Personal Health Information Act (PHIA). The Government of Canada has exempted PHIA-covered custodians from Part 1 of PIPEDA for PHI handled in Nova Scotia. For PHI, PHIA governs our practices.

  • Non‑PHI & cross‑border activities. For personal information that is not PHI (e.g., website analytics, newsletter lists) and for activities outside Nova Scotia, Canada’s federal privacy law (PIPEDA) may still apply. Where both could apply, we follow the law that provides the higher protection.

2) Designated Contact Person (PHIA s.67)

We designate the following Contact Person to oversee PHIA compliance, training, access/correction requests, complaints, and inquiries about our information practices:

Contact Person: Dr. Nathan Corbett, Custodian & Privacy Officer

Email: privacy@lanternpsychiatry.com

Mail: Lantern Psychiatry, Halifax, Nova Scotia, Canada

(If a specific street address changes, the most current details will be posted on our website.)

3) Public Statement (PHIA s.68)

This Addendum serves as our public statement describing our information practices, how to contact our Contact Person, how to request access/correction, and how to complain to the Review Officer (see Section 10).

4) Consent in Nova Scotia (PHIA)

  • We rely on knowledgeable implied consent to collect, use, and disclose PHI for care and routine operations, unless PHIA requires express consent.

  • You may limit or revoke consent at any time (sometimes called a consent directive or lockbox). We will make reasonable efforts to comply with such directives, subject to legal limits (e.g., where disclosure is required by law or to reduce serious risk).

  • A capable minor may consent or withdraw consent. Where a patient lacks capacity, a substitute decision‑maker may act on their behalf, consistent with PHIA.

5) Telehealth via Zoom for Healthcare (Virtual Care)

  • We use Zoom for Healthcare for video/teleconferencing. We follow the College of Physicians & Surgeons of Nova Scotia’s Virtual Care standard, including informed consent, platform security, and documentation.

  • Recording policy (express consent required): On occasion we may record sessions for quality improvement, education, and systems‑improvement. Recording is never required to receive care. We obtain express informed consent before recording and disclose who can access the recording, the purpose, and retention.

  • Storage & retention: Unless otherwise stated in writing at the time of consent, recordings are stored by Lantern Psychiatry in encrypted storage located in Canada and are not part of the clinical record unless used for clinical decision‑making and documented in the chart. We do not enable Zoom cloud recording by default. If an exception is necessary (e.g., a secure teaching collaboration), we will inform you of the storage location and safeguards before recording. We use role‑based access control and restrict access to authorized personnel only. Recordings are retained only as long as needed for the stated purpose and then securely destroyed.

  • Agents & cross‑border processing: Zoom acts as our agent/service provider under PHIA. Some limited metadata or routing functions may be processed outside Canada. We require contractual safeguards, confidentiality, and prompt breach reporting from all agents. Clinical notes and PHI we control remain stored in Canada unless we inform you otherwise and the law permits.

6) Record of User Activity (PHIA s.63)

For any electronic information system we use to maintain PHI (e.g., EMR), we maintain a Record of User Activity (RUA/audit trail). Upon request, we will provide your RUA within 30 days at no charge.

7) Access & Corrections (PHIA ss.71–85)

  • You have a right to access your PHI we hold. We respond as soon as possible and no later than 30 days after receiving your request.

  • You may request corrections if your PHI is inaccurate, incomplete, or not up to date; we respond within 30 days. If we decline a correction (e.g., professional opinion made in good faith), we will explain why and you may require a statement of disagreement to be appended.

  • Except for RUAs (which are free), reasonable cost‑recovery fees may apply for copies; we provide a fee estimate in advance. Physician‑to‑physician transfers for continuity of care are not charged to the patient.

8) Safeguards, Logging & Retention

  • We implement administrative, technical, and physical safeguards to protect PHI and meet PHIA requirements, including encryption, access controls, staff training, confidentiality agreements, vendor due‑diligence, and periodic audits of user activity logs.

  • Retention: We retain medical records at least 10 years from the date of the last entry; for minors, 10 years after the patient reaches 19 (or longer if required by proceedings or other laws). We destroy or anonymize data when no longer needed, using secure methods.

9) Privacy Breach Notification (PHIA ss.69–70)

  • If PHI is stolen, lost, or accessed/used/disclosed without authorization and there is potential for harm or embarrassment, we will notify you at the first reasonable opportunity and advise you of steps you can take.

  • If we conclude that individual notice is not required, we will notify the Nova Scotia Review Officer (OIPC) as soon as possible. We also require our agents to alert us promptly about any suspected or confirmed breach.

Note on PIPEDA (federal): Our non‑PHI personal information practices (e.g., website visitors, subscribers) follow PIPEDA where applicable. For PHI in Nova Scotia, PHIA governs.

Note on Updates: This Addendum will be revised as soon as feasible if PHIA, PIPEDA, CPSNS standards, or government guidance change. The “Last Update” date of the main Privacy Policy will reflect the most recent revision.

Last Update: 17-Oct-2025