STANDARD:
This Privacy Policy is based on the principles of the CSA Model Code for the Protection of Personal Information (the “CSA Model Code”) and conforms with the requirements of the Personal Health Information Protection Act, 2004 (“PHIPA”) and other applicable legislation.
As a “health information custodian”, the Home is responsible for establishing information practices that comply with the requirements of PHIPA, including protecting “personal health information” in our custody or control.
As defined in PHIPA, “personal health information” is identifying information about an individual, in oral or recorded form, if the information:
- relates to the physical or mental health of an individual, including the individual’s medical history and the individual’s family history;
- relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual;
- relates to payment or eligibility for health care;
- is the individual’s health number; or
- identifies an individual’s substitute decision-maker.
Personal health information also includes “identifying information” contained in a record of personal health information that would not otherwise fall within the definition of personal health information (i.e. a mixed record).
Any violation of this policy may result in disciplinary action, up to and including termination, as well as other potential action.
In this Privacy Policy, “we”, “us” and “our” means the Home.
PROCEDURE:
Principle 1- Accountability
The Home is accountable for the personal health information in its custody or control and has designated an individual, the Privacy Officer, to ensure compliance with the Privacy Policy, PHIPA and other related legislation. The contact information for our Privacy Officer is available upon request.
1.1 We demonstrate our commitment to privacy and protecting the confidentiality of personal health information in a number of ways, including but not limited to the following:
- establishing the Privacy Officer as the “contact person” required by PHIPA;
- implementing a full range of policies and procedures to protect personal health information, including the Privacy Policy;
- making a Privacy Statement available to the public, which sets out a general description of our personal health information practices and how to bring concerns to the attention of our Privacy Officer and the Information and Privacy Commissioner;
- responding to requests for access or correction to a record of personal health information in a timely and appropriate manner, in accordance with PHIPA;
- educating employees and other authorized agents who collect, use or disclose personal health information on our behalf, about their responsibilities under the Privacy Policy and PHIPA; and
- reviewing the Privacy Policy, the Privacy Statement and all of our policies and procedures regarding the protection of personal health information on a regular basis.
Principle 2 – Identifying Purposes
The Home will identify the purposes for the collection of personal health information at or before the time the information is collected. The purposes for collection include, but are not limited to the following:
- providing health care or assisting in providing health care, including communicating with health care providers;
- educating agents to provide health care;
- risk management activities;
- conducting activities to improve quality of care or the quality of any program or service;
- planning, administering and managing our internal operations;
- processing, monitoring, verifying or reimbursing claims for payment for the provision of health care or health care related goods and services;
- contacting next of kin or an individual authorized to act on behalf of an individual; and
- as otherwise permitted, authorized or required by law.
2.1 The identified purposes are specified at or before the time of collection to the individual from whom the personal health information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. Upon admission, for example, a notice or brochure identifying the purposes may be posted or given to the individual.
2.2 When personal health information that has been collected is to be used or disclosed for a purpose not previously identified for which consent is required, the new purpose will be identified prior to use or disclosure. Unless the new purpose complies with the purposes identified, the consent of the individual will be obtained before the information will be used or disclosed for another purpose.
2.3 Persons collecting personal health information will be able to explain to individuals the purposes for which the information is being collected.
2.4 Where the Home is authorized to use personal health information for a purpose, it may provide the information to an agent who may use it for that purpose on behalf of the Home.
Principle 3 – Consent
As a general rule, the consent of the individual, or their substitute decision-maker, is required for the collection, use or disclosure of personal health information.
In certain circumstances, however, PHIPA and other legislation provide that personal health information may be collected, used of disclosed without consent.
3.1 For a consent to be valid, it must be “knowledgeable”, meaning that it is reasonable to believe, in the circumstances, that the individual knows the purpose(s) of the collection, use or disclosure, as the case may be, and that the individual may provide or withhold consent. In addition, a consent must relate to the personal health information at issue and cannot be obtained through deception or coercion.
3.2 An individual is “capable” of consenting to the collection, use and disclosure of personal health information if the individual is able to:
- understand information relevant to the decision of whether to consent to the collection, use or disclosure of personal health information; and
- appreciate the reasonably foreseeable consequences of giving, not giving, withholding or withdrawing consent.
3.3 The Home will presume that an individual is capable of consenting to the collection, use and disclosure of personal health information, unless it would be unreasonable to do so.
3.4 Where an individual is incapable of consenting to the collection, use and disclosure of personal health information, a substitute decision-maker or other authorized person may consent on behalf of the individual.
3.5 Consent may be express or implied, although PHIPA requires express consent in certain circumstances, including in most instances where the Home discloses personal health information to:
- a person that is not a health information custodian; or
- another health information custodian and the disclosure is not for the purposes of providing health care or assisting in providing health care.
3.6 When the Home receives personal health information from the individual, the individual’s substitute decision-maker, or another health information custodian for the purposes of providing health care, we will assume that we have the individual’s implied consent to collect, use and disclose the information as necessary for that purpose, unless the individual has expressly withheld or withdrawn the consent.
3.7 The Home assumes that we have the implied consent to respond to inquiries from the family and friends of a resident, confirming presence in the Home, room number and general health status, provided that the resident has not withheld or withdrawn consent to do so.
3.8 If the Home receives information from a resident regarding his or her religious affiliation, we assume that we have the individual’s implied consent to provide his or her name and location in the Home to a representative of the religious organization, provided that the individual has not withheld or withdrawn consent to do so.
3.9 Typically, the Home will seek consent for the use or disclosure of personal health information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use, for example, where the Home has collected information from a health care provider identifying a request for admitting an individual to our organization.
3.10 In obtaining consent, the reasonable expectations of the individual are relevant. For example, an individual seeking admission to the Home should reasonably expect that the Home, in addition to using the individual’s name and address for administration purposes, would also contact the individual to advise on the availability of the room in the Home. On the other hand, an individual would not reasonably expect that personal health information given to the Home would be given to a company selling health care products, unless consent has been obtained for the disclosure. We do not obtain consent through deception.
3.11 The ways in which we seek consent may vary, depending on the circumstances and the type of information to be collected.
3.12 Consent may be obtained orally or in writing. If consent is obtained orally, a notation would typically be made in the individual’s record of personal health information, noting the date, time, to what the consent relates, the purpose for the collection, use or disclosure and any other relevant details.
3.13 An individual may withdraw consent at any time, whether the consent is express or, by providing notice to the Home. In the event that consent is withdrawn orally, a notation will be made in the individual’s record of personal health information, noting the date, time, to what the withdrawal of consent relates, and any other relevant details. Where appropriate, we will inform the individual of the implications of such withdrawal.
Principle 4 – Limiting Collection
The collection of personal health information shall be limited to that which is necessary for the purposes identified by the Home. Information will be collected by fair and lawful means.
4.1 We will only collect personal health information for lawful purposes permitted by PHIPA and other legislation.
4.2 We will not collect personal health information if other information can serve the purpose.
4.3 We will not collect personal health information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfill the purposes identified.
4.4 Information may be collected indirectly without the consent of the individual in certain limited circumstances, including where the information is reasonably necessary for the provision of health care to the individual or assisting in the provision of health care to the individual and (a) it is not reasonably possible to collect from the information directly from the individual in a timely manner; or (b) the information cannot be reasonably be relied upon as accurate.
Principle 5 – Limiting Use, Disclosure, and Retention
Personal health information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal health information will be retained as long as necessary for the fulfillment of the identified purposes and for at least the minimum period required by legislation.
5.1 The Home will use and disclose personal health information for lawful purposes permitted or required by PHIPA and other legislation.
5.2 The Home will not use or disclose personal health information if other information can serve the purpose.
5.3 The Home will not use or disclose personal health information indiscriminately. Both the amount and the type of information used and disclosed will be limited to that which is necessary to fulfill the purposes identified.
5.4 The Home will use and disclose personal health information for the purposes identified. If the Home uses or discloses personal health information for a new purpose, it will document this purpose (e.g. for promotional purposes) and obtain consent,
5.5 If personal health information is used or disclosed without an individual’s consent in a circumstance that requires consent, the Home will make a note of such use and/or disclosure and inform the individual of the use or disclosure at the first reasonable opportunity. We will keep the note as part of the record about the individual or in a form that is linked to those records.
5.6 The Home may disclose personal health information to a health care provider if the disclosure is reasonably necessary for the provision of health care and it is not reasonably possible to obtain consent in a timely manner.
5.7 The Home may disclose personal health information where the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to an individual, a person or group of persons.
Principle 6 – Accuracy
The Home will take reasonable steps to ensure that personal health information is as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
6.1 The extent to which personal health information shall be kept accurate, complete and up-to-date will depend upon our use of the information, taking into account the interests of the individual. Information will be kept sufficiently accurate, complete and up-to-date to minimize the possibility that outdated or inappropriate information may be used to make a decision about the individual.
6.2 We do not routinely update personal health information, unless such a process is necessary to fulfill the purposes for which the information was collected.
Principle 7 – Safeguards
Personal health information will be protected by safeguards appropriate to the sensitivity of the information.
7.1 The safeguards utilized by the Home protect personal health information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. We will protect personal health information regardless of the format in which it is held, e.g., verbal, paper or electronic.
7.2 The Home ensures that the records of personal health information in its custody or control are retained, transferred and disposed of in a secure manner.
7.3 The methods of protection include:
- Physical Measures, such as restricted access to offices or other areas where personal health information is kept, alarm systems, identification badges and other measures deemed to be appropriate in the circumstances.
- Administrative Measures, such as policies and procedures regarding the safeguarding of personal health information, privacy training, regular audits of our privacy practices, security clearances and limiting access to personal health information on a “need-to-know basis; and
- Technological Measures, such as the use of firewalls, passwords and encryption.
7.4 We will ensure that our employees, volunteers and all other agents are aware of the importance of maintaining the confidentiality of personal health information. As a requirement of their employment or other association with the Home, all employees and other agents are required to sign an Acknowledgement and Confirmation to codify their commitment to the Privacy Policy, the Confidentiality Policy and other applicable policies and procedures.
7.5 Care is taken in the disposal or destruction of personal health information, to prevent unauthorized parties from gaining access to the information.
7.6 The Home has established Privacy Breach Guidelines, which adhere to PHIPA and are to be followed in the event of a privacy breach.
7.7 The Home will notify an individual at the first reasonable opportunity if personal health information is lost, stolen or accessed, used or disclosed in an inappropriate manner.
Principle 8 – Openness
We recognize the importance of an individual’s right to keep personal health information private and we are committed to protecting those individual privacy rights.
8.1 We are committed to being open about our policies and practices with respect to the protection of personal health information. This information shall be made available in a form that is generally understandable.
8.2 The information we make available shall include:
- The contact information of our Privacy Officer, who is accountable for the Home’s personal health information practices and for responding to inquiries and complaints regarding privacy matters;
- How to file a complaint with the Information and Privacy Commissioner.
- The means of requesting access to and correction of personal health information held by us;
- A description of the type of personal health information held by us, including a general account of its use and disclosure; and
- A copy of any brochures or other information that explains our privacy policies, standards, or codes.
Principle 9 – Individual Access
An individual may make a written request to obtain access to their record of personal health information in the custody or control of the Home. If access to a record is provided, an individual may then request corrections to the record.
9.1 The Home will make available a form to request access to a record of personal health information. As provided by PHIPA, we can take up to 30 days to respond to the request.
9.2 The Home may charge a reasonable fee for accessing and/or copying a record of personal health information, provided that the charges are communicated in advance.
9.3 In most cases, access to a record of personal health information will be provided, although the Home can deny access for a number of reasons, including the following:
- the person requesting the information is not legally authorized to obtain the record;
- the identity or authority of the person requesting the information cannot be proven;
- the record, or information in the record, is subject to a legal privilege that restricts disclosure;
- granting access could reasonably be expected to result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person;
- granting access could result in serious harm to the recovery of the individual or to others;
- there are reasonable grounds to believe that the request is frivolous, vexatious or made in bad faith; and
- as otherwise provided by law.
9.4 If the Home has denied a request for access to record of personal information, it will provide written notice stating that it is refusing the request and that the individual is entitled to make a complaint about the refusal to the Information and Privacy Commissioner. Absent exceptional circumstances, reasons for the refusal will also be provided.
9.5 If the Home has granted an individual with access to their record of personal health information, the individual may then request that the Home correct the record, if the individual believes that the record is inaccurate or incomplete.
9.6 The Home will make available a form to request correction to a record of personal health information. As provided by PHIPA, we can take up to 30 days to respond to the request.
9.7 If an individual successfully demonstrates the inaccuracy or incompleteness of their personal health information and provides the necessary information to make the correction, we will amend the information as required. Depending upon the nature of the challenged information, amendments may include the correction, deletion or the addition of information.
9.8 If requested by the individual, we will then communicate the correction to persons whom the record was previously disclosed, except where the correction would not affect the provision of ongoing health care or other benefits to the individual.
9.9 The Home may deny a request for correction to a record of personal health information for the following reasons:
- the Home is not satisfied that the record is incomplete or inaccurate for the purposes for which it uses the information;
- it relates to a record that was not originally created by the Home and the Home does not have sufficient knowledge, expertise and authority to correct the record;
- it relates to a professional opinion or observation that a health information custodian has made in good faith about the individual; or
- it has reasonable grounds to believe that the request is frivolous, vexatious or made in bad faith.
9.10 If the Home has denied a request for correction to a record of personal information, it will provide written notice stating that it is refusing the request, provide reasons for the refusal and confirm that the individual is entitled to make a complaint about the refusal to the Information and Privacy Commissioner. In most circumstances, individuals will also be provided with an opportunity to attach a statement of disagreement to their record of health information.
Principle 10 – Challenging Compliance
An individual will be permitted to address a challenge concerning compliance with the above principles to our Privacy Officer, who is responsible for the Home’s compliance with the Privacy Policy and PHIPA.
10.1 We have procedures in place to receive and respond to complaints or inquiries about our policies and practices relating to the handling of personal health information. Any complaints or inquiries should be directed to our Privacy Officer.
10.2 We will investigate all privacy-related complaints received by us. If a complaint is found to be justified, we will take all appropriate steps to remedy the matter, including, if necessary, amending our policies and practices.
10.3 We will also inform individuals of their right to make a complaint to the Information and Privacy Commissioner.
OUTCOME:
As a health information custodian, the Home believes that the communication of its personal health information practices in a comprehensive Privacy Policy creates transparency and helps ensure the privacy and protection of personal health information in its custody or control.
ADDITIONAL REFERENCES:
- PHIPA
- CSA Model Code for the Protection of Personal Information
- Code of Conduct and Business Ethics Handbook, Policy ID # E-10
Revised December 2022