Search

CHIP EHR Privacy Policy

Home 9 CHIP EHR Privacy Policy

Last updated: March 14, 2026

INTRODUCTION

Okaki Health Intelligence Inc. (Okaki) is a Canadian health informatics company. We build and operate the Community Health & Immunization Program (CHIP) platform — a secure electronic health record and clinical documentation system designed for First Nations and Indigenous community health and immunization programs.

This Privacy Policy explains how we handle personal health information within the CHIP platform, which supports immunization management, maternal and child health, communicable disease control, and community health program delivery.

We wrote this policy to be straightforward and easy to understand. If you have questions after reading it, please contact our Privacy Officer — we are happy to help. Contact details are at the end of this document.

Who this policy is for. This policy is for the health care organizations that use CHIP, the care providers who use it day-to-day, and anyone who wants to understand how Okaki handles health information on behalf of those organizations. It is also intended to support formal vendor certification and regulatory review processes.

What this policy does not cover. This policy covers how Okaki operates the CHIP platform. It does not cover the privacy practices of the health organizations that use CHIP — each of those organizations is responsible for its own privacy policies and, where required, its own Privacy Impact Assessment (PIA).

 

KEY TERMS

We use a few specific terms throughout this policy. Here is what they mean:

Custodian means the health care organization that is legally responsible for the health information in CHIP. In Ontario, this is called a Health Information Custodian under the Personal Health Information Protection Act (PHIPA). In Alberta, it is called a Custodian under the Health Information Act (HIA). Other provinces use similar terms. In plain language, the Custodian is the health centre or organization that owns and is accountable for their patients’ records.

Authorized User means a person the Custodian has approved to use CHIP in the course of delivering health services. In Ontario, these individuals are called agents of the Custodian under PHIPA. In Alberta, they are called affiliates under the HIA. Other provinces use similar terms. Authorized Users can only see and do what their assigned role allows — they cannot access information beyond what they need to do their job, and this is enforced by the system.

Personal Health Information (PHI) means any information about a person that relates to their health or the health care they receive, where that person can be identified. This is a legal term used across Canadian health privacy legislation.

Information Manager means an organization that handles health information on behalf of a Custodian to provide a service. Okaki acts as an Information Manager for each Custodian that uses CHIP. This means we follow the Custodian’s direction — we do not use health information for our own purposes.

Information Manager Agreement (IMA) means the written contract between Okaki and each Custodian that sets out our mutual privacy and security obligations. Every organization that uses CHIP signs an IMA before going live.

 

OKAKI’S ROLE — WE WORK FOR THE HEALTH CENTRE, NOT FOR OURSELVES

3.1 What This Means in Practice

Okaki is a technology provider. We build and run CHIP, but the health information in the system belongs to the Custodian — not to us. We handle that information only to provide the services the Custodian has contracted us for.

This means:

  • We never use health information for our own purposes.
  • We never sell health information.
  • We do not use health information for advertising, marketing, or to build profiles of patients or providers.
  • We only share health information when the Custodian directs us to, when it is necessary to deliver our services, or when we are required to by law.

3.2 How We Are Held Accountable

Every Custodian that uses CHIP signs an Information Manager Agreement (IMA) with Okaki before the system goes live. This agreement sets out exactly what we can and cannot do with health information, and it holds us legally accountable.

We also maintain a Health Information Governance Manual that documents all of our internal privacy and security policies and procedures. This manual is available to any Custodian upon request.

Okaki has a designated Privacy Officer who oversees our compliance with privacy laws and is available to answer questions.

3.3 Privacy Laws We Follow

Depending on where a Custodian is located, CHIP operates under different provincial privacy laws. Currently, those include:

  • The Personal Health Information Protection Act, 2004 (PHIPA) in Ontario
  • The Health Information Act (HIA) in Alberta
  • The Personal Information Protection and Electronic Documents Act (PIPEDA), where applicable

Where a Custodian serves a First Nations community, we also design and operate CHIP in a manner consistent with the Ownership, Control, Access and Possession (OCAP) principles for First Nations data governance.

As Okaki expands into new provinces, we will update this policy to reflect the applicable legislation in each jurisdiction.

 

WHAT INFORMATION WE HANDLE

Okaki only handles health information that Authorized Users enter into CHIP in the course of delivering community health services. We do not collect health information directly from patients.

Here is what may be in the system, depending on what care providers enter:

4.1 Registration and Demographic Information

This is the basic information needed to create and maintain a client record, such as name, date of birth, gender, address, phone number, email address, Personal Health Number, Treaty Number (where applicable), and emergency contact information. For children, school information may also be recorded.

4.2 Clinical Health Information

This is the health information that care providers document during visits and assessments, including allergies and adverse reactions, medical history and chronic conditions, vital signs, immunization records (including adverse events, not-immunized events, and off-series immunizations), growth parameters (age, weight, height/length, growth charts), vision and hearing assessment results, and communicable disease case records. Community health assessments, standardized program forms, and chart notes are also captured within CHIP.

4.3 Administrative and Operational Information

This includes information that supports the day-to-day running of community health programs, such as appointment records, task histories, service tracking records, scanned documents, and Proof of Immunization letters generated from the client record.

4.4 Audit and System Information

Every action taken in CHIP is automatically logged — who accessed a record, when, what they did, and why (in cases where a reason is required, such as accessing a masked note). These logs are accessible to Program Managers and System Administrators and support accountability and compliance obligations.

4.5 What We Do Not Collect

CHIP does not collect financial or billing information — no patient billing takes place in the programs CHIP supports. Health information is never collected directly from patients; it is always entered by an Authorized User on behalf of the Custodian.

 

WHY WE HANDLE THIS INFORMATION

We handle health information only to help Authorized Users deliver better, more coordinated community health services and to give health organizations the tools they need to manage their programs effectively.

Specifically, we use the information to:

  • Help care providers create and maintain accurate client records.
  • Support immunization management, including tracking immunization histories, identifying clients due for immunizations, and recording adverse events following immunization.
  • Support communicable disease surveillance and outbreak management at both the individual and community level.
  • Support maternal and child health programs, including growth monitoring and standardized developmental assessments.
  • Make sure the right information is available to the right people at the right time, based on their role.
  • Help health organizations monitor immunization coverage rates and manage community health programs at a population level.
  • Generate Proof of Immunization letters using information already in the client record.
  • Back up all information securely so it is never lost.
  • Maintain detailed audit logs so the Custodian can monitor who is accessing health information and why.

We never use health information for research, to improve our own products, for advertising, or for any purpose that goes beyond delivering the services the Custodian has contracted us for.

 

HOW INFORMATION MOVES THROUGH CHIP

6.1 Day-to-Day Use

When a care provider logs into CHIP, they are authenticated using their organizational credentials. Once in the system, they can only see and do what their assigned role permits.

All information entered into CHIP is sent securely to Okaki’s servers using strong encryption. Once there, it is stored in encrypted form.

Every access event — every time someone views, creates, edits, or deletes a record — is automatically captured in the audit log.

6.2 Provincial Integrations — Alberta Only

The following integrations are available only to organizations in Alberta, and only where the required authorizations and agreements are in place:

ImmARI Real-Time Integration (RTI) — Alberta Immunization Registry Authorized Netcare users can query the Alberta Immunization Registry (ImmARI) directly within CHIP to view a client’s immunization history from off-reserve providers, and to submit immunizations administered at the health centre to the provincial registry. This is particularly important for preventing missed or unnecessary immunizations, as First Nations clients commonly receive immunizations both on and off reserve. Accessing ImmARI through CHIP requires the same two-factor authentication as the Netcare web portal.

Integrated Alberta Netcare Portal (ANP) Authorized Netcare users can open the Alberta Netcare Portal in a separate encrypted browser window directly from CHIP, using their Netcare credentials.

All Alberta provincial integrations follow the requirements of the Health Information Act and the applicable data sharing agreements. Information obtained from provincial systems is collected, used, and disclosed only as authorized by the Custodian and applicable legislation.

 

WHERE WE STORE YOUR INFORMATION AND HOW LONG WE KEEP IT

7.1 All Data Stays in Canada

All health information in CHIP is stored and processed entirely within Canada. We never send health information outside the country.

Our primary servers are physically located at the Rogers data centre in Edmonton, Alberta. Encrypted backups are stored at a secondary off-site facility, also in Alberta. Both locations are locked, access-controlled environments — only designated Okaki technical staff can get in.

7.2 How Long We Keep Information

We keep health information for as long as the Custodian’s IMA requires. Each Custodian is responsible for setting a retention schedule that meets the requirements of their provincial legislation.

In Ontario, adult client records must be kept for at least ten (10) years from the date of the last entry. For minors, records must be kept for ten (10) years from the last entry, or until two (2) years after the person turns 18, whichever is longer.

In Alberta, disclosure records and system logs must be kept for at least ten (10) years.

7.3 When a Custodian Ends Their Subscription

If a Custodian decides to stop using CHIP, we want to make sure the transition is handled responsibly and that health information is protected throughout.

Here is what Custodians can expect:

Your data belongs to you. Health information in CHIP always remains under the legal custody and control of the Custodian. When a subscription ends, we will work with the Custodian to return their data in a usable format within a mutually agreed timeframe.

We do not hold data indefinitely. Once a Custodian confirms they have received their data and no longer require access, we will securely destroy all remaining copies of their health information from our systems — including backups. We will provide written confirmation when this is complete.

Legally required records are handled appropriately. Some audit logs and system records may be subject to mandatory retention periods under provincial health information legislation regardless of subscription status. Where this applies, we retain only what is legally required, for only as long as required, and destroy it securely once the retention period expires.

We will support the transition. We understand that moving away from an electronic health record system requires careful planning. Our team will work with the Custodian to support a smooth transition and ensure continuity of care is not disrupted.

 

HOW WE KEEP INFORMATION SAFE

Protecting health information is one of our most important responsibilities. Here is how we do it.

8.1 We Are ISO/IEC 27001:2022 Certified

Our Information Security Management System is independently audited and certified to the ISO/IEC 27001:2022 international standard. An independent third-party auditor reviews our risk register and security controls every year as part of this certification.

8.2 We Encrypt Everything

  • Information stored on our servers is encrypted using AES-256.
  • Information travelling between CHIP and our servers is protected using TLS 1.2 or higher with AES-256 encryption.
  • All backups are encrypted with AES-256 before they leave our primary servers.

8.3 Our Data Centre Is Physically Secure

The Rogers data centre in Edmonton where our servers live is monitored around the clock, every day of the year. Access requires a biometric scan and keycard, and our servers sit in individually locked cabinets that only designated Okaki staff can open. The facility meets Tier 3 standards for fire safety and power and internet redundancy, and holds SOC 2, SSAE 16, CSAE 3416, ISAE 3402, and PCIDSS certifications.

When Okaki staff need to connect to our servers remotely, they do so over an encrypted VPN using Microsoft Active Directory authentication — there is no open internet access to our hosting environment.

8.4 We Control Who Can Access What

  • Every user has their own unique username and password — shared accounts are not permitted.
  • Multi-factor authentication (MFA) is required for every login to the CHIP desktop application.
  • Role-based access controls mean each user can only see and do what their role requires.
  • The CHIP desktop application automatically locks after 30 minutes of inactivity, requiring re-authentication to continue.
  • When a staff member leaves an organization, the Custodian notifies us and we revoke their access immediately.

8.5 We Log Everything

Every action taken in CHIP is automatically recorded in the audit log — who did it, when, what record was affected, and what they did. This gives the Custodian a complete and reliable record of all activity in the system, which supports accountability under privacy legislation.

8.6 Our Staff Are Trained and Vetted

  • Every Okaki employee, contractor, and volunteer goes through a criminal record check before they start.
  • Everyone signs a Confidentiality and Non-Disclosure Agreement that remains in effect even after they leave.
  • All staff are trained on their privacy and security obligations when they start and every year after that.
  • Staff can only access information they need to do their specific job.

 

WHEN WE SHARE INFORMATION — AND WHEN WE DO NOT

We do not share health information except in these three situations:

  1. When the Custodian directs us to — for example, when immunization records are submitted to the Alberta Immunization Registry through the ImmARI RTI integration.
  2. When it is necessary to deliver our services — for example, transmitting data securely to Okaki’s hosted infrastructure.
  3. When we are required to by law.

Any third-party service provider we work with to deliver CHIP is bound by contract to keep health information confidential, use it only for the agreed purpose, and never sell or re-use it.

We do not share health information with Indigenous Services Canada or any other government body unless the Custodian specifically directs us to and applicable law permits it. Right now, no health information from CHIP is routinely shared with any provincial or federal government body beyond the Alberta provincial integrations described in Section 6.2. If that ever changes, we will update this policy before any new sharing begins.

 

PATIENT AND CLIENT RIGHTS

If you are a patient or client of a health centre that uses CHIP and you want to access, correct, or ask questions about your own health information, please contact your health centre directly. The health centre — as the Custodian — is responsible for responding to those requests under privacy law.

Okaki does not hold health information in our own right and cannot fulfill individual access or correction requests directly. If we hear from a patient directly, we will point them to the right place.

 

IF THERE IS A PRIVACY BREACH

We take privacy breaches seriously and have a clear process for handling them.

If we become aware of an actual or suspected breach involving health information in CHIP, we will notify the affected Custodian right away. The Custodian is then responsible for assessing the risk, notifying affected individuals if required, and reporting to the applicable privacy regulator — such as the Information and Privacy Commissioner of Ontario or the Office of the Information and Privacy Commissioner of Alberta — in accordance with their provincial legislation.

We will cooperate fully with the Custodian throughout their investigation and response.

If a breach involves Okaki’s own systems or staff, we manage it through our internal breach response process and escalate immediately to our Privacy Officer and senior management.

 

PRIVACY IMPACT ASSESSMENTS

A Privacy Impact Assessment (PIA) is a formal review of how a system handles health information and whether it complies with privacy law. We have completed PIAs for CHIP in each province where it is deployed:

  • Alberta: Submitted to the Office of the Information and Privacy Commissioner of Alberta (OIPC) under the Health Information Act.
  • Ontario: Completed under PHIPA and aligned with applicable Ontario certification and regulatory requirements. Participating Custodians in Ontario submit this PIA as part of their own regulatory obligations.

We review and update our PIAs at least once a year, whenever we make significant changes to CHIP, when privacy laws change, or when we add new features, integrations, or data elements. If we expand into new provinces, we will complete a PIA for each new jurisdiction before going live.

Each Custodian is responsible for reviewing and accepting the applicable PIA for their jurisdiction and for maintaining their own organizational privacy policies.

 

WE ARE OPEN ABOUT WHAT WE DO

We believe health organizations and the people they serve have a right to know how health information is being handled. This policy is publicly available on our website.

If you are a Custodian and want more detail — including our Health Information Governance Manual or Privacy and Security Charter — just ask. We are happy to share that documentation.

Our Privacy Officer is available to answer any questions about this policy or how CHIP handles health information.

 

WE KEEP THIS POLICY UP TO DATE

We review this policy at least once a year. We will also update it whenever we make significant changes to CHIP, when privacy laws change, or when we expand into new provinces or add new features. The “last updated” date at the top of this page will always reflect the most recent version.

 

CONTACT US

If you have questions or concerns about this Privacy Policy or how health information is handled within the CHIP platform, please reach out to us:

Privacy Officer — Okaki Health Intelligence Inc.

Email: privacy@okaki.com

Phone: 1-877-MYOKAKI (1-877-696-5254) | +1 587 409-0031

Mailing Address: PO Box 84210, Market Mall, Calgary, AB T3A 5C4

If you are a patient or client of a health centre that uses CHIP and have questions about your own health information, please contact your health centre directly. Your health centre is responsible for handling access and correction requests — not Okaki.