Acceptable Use Policy

Introduction

This Acceptable Use Policy (the “AUP”) sets out how Authorized Users may use the CHeCS platform (the “Service”). It applies to every person who logs in to the Service on behalf of a Client, including administrators, directors of care, compliance officers, nurses, personal support workers, contractors, and any other staff Client has authorized.

The AUP is incorporated by reference into the CHeCS Software as a Service Agreement (the “Agreement”) between Vendor and Client. Capitalized terms not defined here have the meaning given in the Agreement, including “Authorized User,” “Client,” “Client Data,” “Vendor,” and “Personal Health Information” or “PHI.”

The Service is used to manage compliance records for Long-Term Care homes in Ontario. The information you record in it affects residents, regulators, and your colleagues. This AUP is short on purpose so you can read it on shift and remember what it says. If conduct is not listed here but is clearly inconsistent with the spirit of the AUP (for example, conduct that puts resident safety, data integrity, or another organization’s information at risk), Vendor may still treat it as a violation and take action.

1. Compliance and data integrity

The Service exists to produce an accurate record of how Client meets its regulatory obligations. Do not undermine that record.

You must not:

• Enter information you know to be false, misleading, or unsupported by the underlying facts, including in incident reports, investigation notes, audits, training records, or inspection responses.
• Backdate, alter, or delete entries to make compliance status appear better than it is, to conceal a missed deadline, or to misrepresent when an incident, training, or corrective action actually occurred.
• Tamper with, attempt to disable, or interfere with the Service’s audit logs, version history, or activity tracking.
• Mark training, attestations, or audits as completed on behalf of a colleague who did not actually complete them.
• Use the Service to obstruct, mislead, or delay any lawful inspection, investigation, or regulatory review.

If you make a mistake, correct it using the Service’s normal edit and comment features. Vendor preserves a record of changes, and honest corrections are not a violation of this AUP; deliberate falsification is.

2. Healthcare and clinical context

The Service is a compliance management tool. It is not a clinical decision support system, an electronic health record, a medication administration record, or an emergency alerting system.

You must not:

• Rely on the Service for time-critical clinical decisions, including medication dosing, treatment planning, triage, or emergency response.
• Use the Service as a substitute for professional clinical judgment or for licensed clinical workflows operated by Client.
• Treat any output of the Service, including reports, summaries, or AI-generated content, as clinical, legal, or other professional advice.

Decisions about resident care remain the responsibility of Client and its licensed clinical staff. In an emergency, follow Client’s emergency protocols and contact emergency services directly. Do not log a record in the Service and wait.

3. Account security and authorized access

Each Authorized User has their own account, and that account is personal to them.

You must:

• Be a current employee, officer, or contractor of Client, as required under the Authorized Users section of the Agreement. If your role with Client ends, you must stop using the Service.
• Keep your credentials confidential. Do not share your password, multi-factor authentication codes, or active sessions with anyone, including colleagues, supervisors, family, or IT staff.
• Notify Vendor promptly at security@checs.ca if you suspect your account has been compromised, or if you become aware of unauthorized access to the Service.

You must not:

• Use, attempt to access, or log in to another Authorized User’s account, or allow anyone else to use yours.
• Access or attempt to access information belonging to another Client (another organization or home), another tenant, or another Authorized User outside the scope of your assigned role and permissions.
• Use the Service from a shared, unattended, or public device without taking reasonable steps to prevent others from accessing your session.

4. PHI and personal information handling

The Service contains Personal Health Information (“PHI”) about Long-Term Care residents and personal information about staff. These are vulnerable individuals, and Ontario and Canadian law impose specific duties on how their information is handled.

You must:

• Use PHI and personal information only for purposes consistent with your role, Client’s policies, and applicable law, including the Personal Health Information Protection Act, 2004 (“PHIPA”), the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and the Fixing Long-Term Care Act, 2021 (“FLTCA”).
• Limit your use of PHI to what is reasonably necessary for the task at hand.

You must not:

• Disclose PHI to anyone who is not authorized to receive it under PHIPA, Client’s policies, or a lawful authority, including, without limitation, residents’ family members who do not hold a valid substitute decision-maker relationship, members of the public, journalists, or personal contacts.
• Export, photograph, screen-share, paste into other systems, or otherwise extract PHI from the Service except as permitted by Client’s policies, the Extracted Data section of the Agreement, and applicable law.
• Combine PHI from the Service with information from other sources (including personal devices, social media, or unrelated systems) in a way that would breach PHIPA, PIPEDA, or Client’s privacy policies.
• Use PHI to identify, contact, or communicate with residents or their families outside of Client’s authorized clinical and care channels.

5. Security and infrastructure

The Service is hosted on shared infrastructure used by multiple LTC operators across Canada. Conduct that endangers that infrastructure endangers other homes and other residents.

You must not:

• Probe, scan, or test the vulnerability of the Service or any related system, except under a written authorized assessment agreed with Vendor.
• Attempt to bypass authentication, multi-factor authentication, authorization, encryption, rate limits, file size limits, or any other security or capacity control.
• Introduce malware, ransomware, worms, viruses, malicious links, or any code intended to disrupt, damage, or gain unauthorized access to the Service or to other Authorized Users’ devices.
• Conduct or participate in any denial-of-service activity, or place a disproportionate load on the Service through scripted, automated, or repeated requests.
• Scrape, harvest, mirror, or otherwise extract data from the Service through automated means, browser automation, or interfaces other than those the Service exposes for that purpose.

Vendor enforces fair-use rate limits and per-file upload limits to protect Service availability for all Clients. If your work requires a higher limit (for example, a one-time bulk import), contact your Client account administrator or Vendor before working around the limit.

6. Artificial intelligence and automated features

The Service includes features that use artificial intelligence and other forms of automated processing. The rules below apply whenever you use those features, regardless of which specific feature you are using.

When you use AI or automated features in the Service:

• Treat all AI-generated or AI-extracted output as a draft. Review it for accuracy and completeness before you submit, file, send, sign, or act on it. You remain responsible for the final content.
• Do not rely on AI or automated output as clinical, legal, financial, regulatory, or other professional advice. Outputs are aids to your work, not substitutes for your professional judgment or applicable standards of care.
• Where AI or automated output may inform a decision with significant effects on a resident, staff member, or other individual (for example, clinical care, discipline, eligibility determinations, or regulatory submissions), that decision must be made by appropriately qualified personnel after independent review.
• Do not submit prompts, attachments, or other inputs designed to circumvent the safety, security, or integrity measures of the AI features. This includes prompt injection, jailbreaking, attempts to access or expose other Clients’ data, attempts to bypass content restrictions, and attempts to produce falsified compliance documentation.
• Do not use AI or automated features to generate misleading, deceptive, illegal, or harmful content, or content that misrepresents its source.
• Do not enter information into AI features that you would not be willing to enter elsewhere in the Service. The same PHI, accuracy, and confidentiality rules apply.

7. Lawful and ethical use

You must use the Service in compliance with all applicable laws, including PHIPA, PIPEDA, Canada’s Anti-Spam Legislation (“CASL”), the Criminal Code of Canada, FLTCA, and the Ontario Human Rights Code.

You must not use the Service to:

• Engage in any unlawful, fraudulent, or deceptive activity.
• Impersonate any person or misrepresent your affiliation with Client, another organization, or a regulator.
• Harass, threaten, defame, intimidate, or discriminate against any person, including in investigation comments, action item notes, or other shared content within the Service.
• Disclose information about an identified or identifiable individual in retaliation for that individual raising a concern, making a complaint, or exercising a legal right.

The Service is not designed for, and you must not use it for, sending unsolicited commercial electronic messages, marketing communications to residents or families, or any communication outside the staff workflow the Service is designed to support.

8. Intellectual property and content

You must not:

• Upload, post, or transmit any content that infringes another person’s copyright, trademark, trade secret, privacy, publicity, or other rights.
• Upload content that Client does not have the legal right to upload, store, or process in the Service.
• Reverse engineer, decompile, disassemble, copy, or create derivative works from the Service, except to the limited extent expressly permitted by applicable law.
• Remove, obscure, or alter any proprietary notices, branding, or labels in the Service.

9. Reporting and enforcement

Report suspected violations of this AUP to abuse@checs.ca. Report security incidents, suspected account compromise, or security vulnerabilities in the Service to security@checs.ca.

Vendor may investigate suspected violations using audit logs and other operational telemetry. Where Vendor confirms a violation, Vendor may, in its discretion and depending on the severity of the conduct:

• Issue a warning to the Authorized User or to Client.
• Notify Client’s account administrator.
• Suspend or terminate the Authorized User’s access to the Service, in accordance with the Suspension and Termination sections of the Agreement.
• Report the conduct to Client, to law enforcement, or to a regulator (including the Information and Privacy Commissioner of Ontario) where Vendor is required to do so or reasonably believes it is appropriate.

Where the violation involves a serious risk to resident safety, data integrity, or another Client’s information, Vendor may suspend access immediately and investigate afterward.

Updates to this policy

Vendor may update this AUP from time to time. Vendor will provide Client with written notice of any material changes not less than thirty (30) days before they take effect, as set out in the Use Restrictions section of the Agreement.

Related documents

• CHeCS Software as a Service Agreement: available from Client’s account administrator or by contacting Vendor
• Data Processing Addendum (Schedule B to the Agreement)
• CHeCS Status Page: https://status.checsltc.com (opens in new window)

Reservation of rights

Vendor reserves the right to interpret and enforce this AUP in its sole discretion. Vendor may, without prior notice or liability, remove or disable access to content, restrict Service features, or suspend or terminate an Authorized User’s access if Vendor determines that the Authorized User has violated, or is reasonably suspected of having violated, this AUP. Nothing in this AUP limits any other right or remedy available to Vendor under the Agreement or at law.