Privacy Policy

Effective Date: March 20, 2026

1. Introduction

SnapBill (“we,” “our,” or “us”), operated by 16441289 Canada Inc., provides an OHIP billing management platform for Ontario physicians and their authorized billing staff. This Privacy Policy describes how we collect, use, disclose, retain, and protect information—including personal health information—when you use our website and services (collectively, the “Service”).

This policy is governed by the Personal Health Information Protection Act, 2004 (PHIPA), Ontario’s primary law governing the collection, use, and disclosure of personal health information by health information custodians and their agents. Where applicable, the Personal Information Protection and Electronic Documents Act (PIPEDA) also applies to the commercial aspects of our operations.

By using the Service, you acknowledge that you have read and understand this Privacy Policy.

2. Definitions

In this Privacy Policy:

  • “Health Information Custodian” (HIC) means the physician or healthcare provider who uses SnapBill to manage OHIP billing on behalf of their patients. Under PHIPA, the HIC is the party with primary custody and control of personal health information.
  • “Personal Health Information” (PHI) means identifying information about an individual in oral or recorded form that relates to the individual’s physical or mental health, the provision of health care to the individual, payments or eligibility for health care, or the individual’s health number. As used in SnapBill, PHI includes but is not limited to: patient names, dates of birth, gender, Ontario health card numbers and version codes, diagnostic codes (ICD-9/ICD-10), OHIP billing codes and service dates, clinical notes, visit records, claim submission data, and responses from the Ministry of Health (MOH).
  • “Provider Information” means information about the physician or billing staff user, including name, email address, OHIP billing number, CPSO registration number, group number, and specialty.
  • “Electronic Service Provider” (ESP) means a person who provides goods or services for the purpose of enabling a HIC to use electronic means to collect, use, modify, disclose, retain, or dispose of PHI. SnapBill operates as an ESP and, where applicable, as an agent of the HIC.

3. Our Role Under PHIPA

SnapBill acts as an Electronic Service Provider and, where authorized, as an agent of the Health Information Custodian (the physician) under PHIPA. This means:

  • The HIC retains custody and control of all PHI processed through SnapBill.
  • We process PHI solely on behalf of and under the instructions of the HIC, for the purposes described in this policy.
  • We do not use PHI for our own purposes unrelated to the Service.
  • We comply with the restrictions and conditions imposed by PHIPA on ESPs and agents, including obligations regarding security, confidentiality, and notification of unauthorized access.

Physicians who use SnapBill remain responsible for obtaining any necessary patient consent and for ensuring that their use of the Service complies with PHIPA and applicable College guidelines.

4. Information We Collect

4.1 Provider Information

When you register for an account and use the Service, we collect:

  • Name, email address, and professional credentials
  • OHIP billing number and group number
  • CPSO registration number
  • Specialty and practice information
  • Account credentials (passwords are stored using one-way hashing and are never accessible in plaintext)

4.2 Personal Health Information (Processed on Behalf of the HIC)

In the course of providing the Service, the following PHI is processed on behalf of the HIC:

  • Patient names, dates of birth, and gender
  • Ontario health card numbers (HCN) and version codes
  • Diagnostic codes (ICD-9 and ICD-10)
  • OHIP billing codes, service dates, and fee amounts
  • Clinical notes and visit records
  • Claim submission records and Ministry of Health responses received via MCEDT

4.3 Usage and Analytics Data

We collect non-PHI technical data to maintain and improve the Service:

  • IP address, browser type, operating system, and device information
  • Pages visited, features used, and session duration
  • Error logs and performance metrics

5. How We Use Your Information

5.1 OHIP Billing Claim Management

We use PHI and Provider Information to enable the core functions of the Service: creating, validating, editing, and managing OHIP billing claims on behalf of the HIC.

5.2 Claim Submission to the Ministry of Health

With the HIC’s authorization, we submit billing claims to the Ontario Ministry of Health via the Medical Claims Electronic Data Transfer (MCEDT) system, and we receive and process claim responses, remittance advice, and error reports from the MOH.

5.3 Analytics for the Provider

We generate billing analytics, reports, and dashboards for the HIC to review their practice’s billing activity, claim approval rates, revenue summaries, and error trends.

5.4 AI-Assisted Claim Error Correction

SnapBill offers AI-assisted analysis to help identify and correct common billing errors. Before any claim data is sent to an external AI service, all personal health information is redacted and de-identified. The AI service receives only de-identified billing patterns and error descriptions—never patient names, health card numbers, dates of birth, or other direct identifiers. See Section 6.3 for details on the AI service provider.

5.5 Service Operation and Security

We use usage and analytics data to maintain, troubleshoot, and improve the Service, and to detect and prevent unauthorized access, fraud, or abuse.

6. Disclosure to Third Parties

We do not sell, rent, or trade personal information or PHI. We disclose information only in the following limited circumstances:

6.1 Ministry of Health (MCEDT)

Billing claims containing PHI are submitted to the Ontario Ministry of Health via the MCEDT system. This disclosure is made on behalf of the HIC and is required for the administration of OHIP as permitted under PHIPA.

6.2 Payment Processor (Stripe)

We use Stripe to process subscription payments from providers. Stripe receives only the provider’s payment information (such as credit card details and billing address). No PHI is shared with Stripe. Stripe’s handling of payment information is governed by its own privacy policy and PCI-DSS compliance.

6.3 AI Services (Google Gemini)

For AI-assisted claim error correction, we use Google Gemini. All PHI is redacted and de-identified before transmission to the AI service. Google Gemini receives only de-identified billing code patterns, error descriptions, and fee schedule references. No patient names, health card numbers, dates of birth, diagnostic codes linked to identifiable individuals, or other direct identifiers are transmitted to Google.

6.4 Legal Requirements

We may disclose information where required by law, regulation, legal process, or governmental request, including in response to a court order or subpoena, or as otherwise permitted under PHIPA.

7. Data Security

We implement administrative, technical, and physical safeguards to protect PHI and personal information against unauthorized access, loss, alteration, or destruction. These measures include:

  • Encryption at rest: Sensitive data is encrypted using AES-256-GCM encryption
  • Encryption in transit: All data transmitted between your browser and our servers, and between our servers and third-party services, is protected by TLS (Transport Layer Security)
  • Authentication and access control: Access to the Service requires authenticated login. Two-factor authentication (2FA) is available for all accounts
  • PHI access audit logging: Access to personal health information is logged for audit purposes
  • Rate limiting: Automated safeguards limit excessive or abnormal access patterns to prevent data scraping and abuse
  • Employee and contractor access: Access to PHI is limited to personnel who require it to provide and maintain the Service, and such individuals are bound by confidentiality obligations

No method of electronic storage or transmission is completely secure. While we employ commercially reasonable measures to protect your information, we cannot guarantee absolute security.

8. Data Retention

We retain information in accordance with the following schedule:

  • Health records and billing data (PHI): Retained for the duration of your active account plus 10 years following account closure or the last date of service, consistent with OHIP record-keeping requirements and PHIPA retention obligations.
  • Audit logs: PHI access logs and security audit records are retained for 6 years.
  • Provider account information: Retained for the duration of your active account and for a reasonable period thereafter to fulfill legal and business obligations.
  • Usage and analytics data: Retained in aggregate or anonymized form and may be kept indefinitely to improve the Service.

When retention periods expire, data is securely deleted or de-identified in accordance with industry best practices.

9. Your Rights Under PHIPA

Under PHIPA and applicable privacy legislation, you have the following rights:

9.1 Right of Access

You have the right to request access to the personal information and PHI we hold about you or that we process on your behalf. To make an access request, contact us at the email address listed in Section 15 of this policy. We will process your request within 30 days.

9.2 Right to Correction

If you believe that the personal information or PHI we hold is inaccurate or incomplete, you have the right to request a correction. We will respond to correction requests within 30 days.

9.3 Right to Withdraw Consent

You may withdraw your consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. Please note that withdrawing consent may limit our ability to provide certain aspects of the Service. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

9.4 Right to Complain

If you believe your privacy rights have been violated, you have the right to file a complaint with the Information and Privacy Commissioner of Ontario (IPC). See Section 15 for contact details.

10. Data Export

You may request an export of the data associated with your account. To initiate a data export request, contact us at the email address listed in Section 15. We will prepare your data package within 30 days of receiving your verified request. For security purposes, the completed data package will be delivered after a 7-day waiting period following preparation, during which you may cancel the request if it was not made by you.

11. Cookies

SnapBill uses session cookies that are essential for the operation of the Service. These cookies are used to maintain your authenticated session and security state. Our session cookies are configured with the HttpOnly and Secure flags, meaning they are not accessible to client-side scripts and are only transmitted over encrypted connections.

We do not use third-party analytics cookies or advertising trackers. We do not engage in cross-site tracking.

12. Data Location

All personal health information and provider data is stored and processed on servers located in Canada. We do not transfer PHI outside of Canada except as described in Section 6.3 (AI services), where only de-identified data is transmitted.

13. Breach Notification

In the event of a theft, loss, or unauthorized use or disclosure of personal health information, we will take the following steps as required by PHIPA:

  • Notify the affected Health Information Custodian(s) at the first reasonable opportunity
  • Notify affected individuals whose PHI was compromised, where required
  • Report the breach to the Information and Privacy Commissioner of Ontario (IPC) as required under PHIPA
  • Take immediate steps to contain the breach and prevent further unauthorized access
  • Conduct an investigation and implement measures to prevent recurrence

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will provide at least 30 days’ notice before the changes take effect, by posting a notice on the Service or by sending a notification to the email address associated with your account.

The “Effective Date” at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights under PHIPA, or would like to make a data export request, please contact us:

SnapBill (16441289 Canada Inc.)
Email: support@snapbill.md

If you are not satisfied with our response or believe that your privacy rights have been violated, you may file a complaint with:

Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Telephone: 1-800-387-0073
Website: www.ipc.on.ca