As a “health information custodian”, the Home is responsible for establishing information practices that comply with the requirements of PHIPA, including protecting “personal health information” in our custody or control.
As defined in PHIPA, “personal health information” is identifying information about an individual, in oral or recorded form, if the information:
relates to the physical or mental health of the individual, including the health history of the individual or the individual’s family;
relates to the provision of health care to the individual, including the identification of a person as a health care provider to the individual;
relates to payment or eligibility for health care or eligibility for health care coverage;
is the individual’s health number; or
identifies the individual’s substitute decision-maker.
Personal health information also includes “identifying information” contained in a record of personal health information that would not otherwise fall within the definition of personal health information (i.e. a mixed record).
Any violation of this policy may result in disciplinary action of an employee, volunteer or other agent, up to and including termination of the relationship with the Home, as well as other potential action.
Principle 1- Accountability
We demonstrate our commitment to privacy and protecting the confidentiality of personal health information in a number of ways, including but not limited to the following:
establishing the Privacy Officer as the “contact person” required by PHIPA;
making a Privacy Statement available to the public, which sets out a general description of our personal health information practices and how to bring concerns to the attention of our Privacy Officer and the Information and Privacy Commissioner;
responding to requests for access or correction to a record of personal health information in a timely and appropriate manner, in accordance with PHIPA;
educating employees, volunteers and other authorized agents who collect, use or disclose personal health information on our behalf, about their responsibilities under PHIPA; and
Principle 2 – Identifying Purposes
The Home collects, uses and discloses personal health information for certain identified purposes, including but not limited to the following:
providing health care or assisting in the provision of health care, including communicating with health care providers;
providing education and training to our employees, volunteers and other agents;
conducting quality improvement and risk management activities;
planning, administering and managing our internal operations;
processing, monitoring, verifying or reimbursing claims for payment for the provision of health care or health care-related goods and services;
communicating with substitute-decision makers;
communicating with estate trustees or if there is no estate trustee, the person who has assumed responsibility for the administration of an estate;
as authorized by a resident, or by a person with authority to act on behalf of a resident; and
for other purposes as permitted or required by law.
The identified purposes should be specified at or before the time of collection to the individual from whom the personal health information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. For example, upon admission, a notice or brochure identifying the purposes may be posted or given to the individual.
When personal health information is to be used or disclosed for a purpose not previously identified, the new purpose will be identified prior to its use or disclosure. Unless the new purpose is required by law, the consent of the individual is be obtained before the information is used or disclosed for the new purpose.
Persons collecting personal health information on behalf of the Home will be able to explain to individuals the purposes for which the information is being collected.
Where the Home is authorized to use personal health information for a purpose, it may provide the information to an agent who may use it for that purpose on behalf of the Home.
Principle 3 – Consent
As a general rule, the consent of the individual, or their substitute decision-maker, if applicable, is required for the collection, use or disclosure of personal health information, unless PHIPA allows for the collection, use or disclosure without consent.
For consent to be valid, it must be “knowledgeable”, meaning that it is reasonable to believe, in the circumstances, that the individual knows the purpose(s) of the collection, use or disclosure, as the case may be, and that the individual may provide or withhold consent. In addition, consent must relate to the personal health information at issue and cannot be obtained through deception or coercion.
An individual is “capable” of consenting to the collection, use and disclosure of personal health information if the individual is able to:
understand information relevant to the decision of whether to consent to the collection, use or disclosure of personal health information; and
appreciate the reasonably foreseeable consequences of giving, not giving, withholding or withdrawing consent.
The Home will presume that an individual is capable of consenting to the collection, use and disclosure of personal health information, unless it would be unreasonable to do so.
Where an individual is incapable of providing to the collection, use and disclosure of personal health information, a substitute decision-maker may provide consent on behalf of the individual.
An individual’s consent may be express or implied. Express consent to the collection, use or disclosure of personal health information is consent that has been clearly and unmistakably given. Express consent may be explicitly provided, either orally or in writing.
Implied consent to the collection, use or disclosure of personal health information is consent that the Home concludes has been given based on an individual’s action or inaction in particular factual circumstances.
PHIPA requires express consent in certain circumstances, including in most instances where the Home discloses personal health information to:
a person that is not a health information custodian; or
another health information custodian and the disclosure is not for the purposes of providing health care or assisting in providing health care.
When the Home receives personal health information from the individual, the individual’s substitute decision-maker, or another health information custodian for the purposes of providing health care, we will assume that we have the individual’s implied consent to collect, use and disclose the information as necessary for that purpose, unless the individual has expressly withheld or withdrawn the consent.
The Home assumes that we have the implied consent to respond to inquiries from the family and friends of a resident, confirming presence in the Home, room number and general health status, provided that the resident has not withheld or withdrawn consent to do so.
If the Home receives information from a resident regarding his or her religious affiliation, we assume that we have the individual’s implied consent to provide his or her name and contact information to a representative of that religious organization, provided that the individual has not withheld or withdrawn consent to do so.
Typically, the Home will seek consent for the use or disclosure of personal health information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use, for example, where the Home has collected information from a health care provider identifying a request for admitting an individual to our organization.
In obtaining consent, the reasonable expectations of the individual are relevant. For example, an individual seeking admission to the Home should reasonably expect that the Home, in addition to using the individual’s name and address for administration purposes, would also contact the individual to advise on the availability of the room in the Home. On the other hand, an individual would not reasonably expect that personal health information given to the Home would be given to a company selling health care products, unless consent has been obtained for the disclosure. We do not obtain consent through deception.
The ways in which we seek consent may vary, depending on the circumstances and the type of information to be collected.
Consent may be obtained orally or in writing. If consent is obtained orally, a notation would typically be made in the individual’s record of personal health information, noting the date, time, to what the consent relates, the purpose for the collection, use or disclosure and any other relevant details.
An individual may withdraw consent at any time, whether the consent is express or implied, by providing notice to the Home. In the event that consent is withdrawn orally, a notation will be made in the individual’s record of personal health information, noting the date, time, to what the withdrawal of consent relates, and any other relevant details. Where appropriate, we will inform the individual of the implications of such withdrawal.
Principle 4 – Limiting Collection
The collection of personal health information shall be limited to that which is necessary for the purposes identified by the Home. Information will be collected by fair and lawful means.
We will only collect personal health information for lawful purposes, including as permitted by PHIPA and other legislation.
We will not collect personal health information if other information can serve the purpose of the collection.
We will not collect personal health information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfill the purposes identified.
Information may be collected indirectly without the consent of the individual in certain limited circumstances, including where the information is reasonably necessary for the provision of health care to the individual or assisting in the provision of health care to the individual and (a) it is not reasonably possible to collect from the information directly from the individual in a timely manner; or (b) the information cannot be reasonably relied upon as accurate.
Principle 5 – Limiting Use, Disclosure, and Retention
Personal health information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal health information will be retained as long as necessary for the fulfillment of the identified purposes and for at least the minimum period required by legislation.
The Home will use and disclose personal health information for lawful purposes permitted or required by PHIPA and other legislation.
The Home will not use or disclose personal health information if other information can serve the purpose of the use or disclosure.
The Home will not use or disclose personal health information indiscriminately. Both the amount and the type of information used and disclosed will be limited to that which is necessary to fulfill the purposes identified.
The Home will use and disclose personal health information for the purposes identified. If the Home uses or discloses personal health information for a new purpose, it will document this purpose (e.g. for promotional purposes) and obtain consent.
If personal health information is used or disclosed without an individual’s consent in a circumstance that requires consent, the Home will make a note of such use and/or disclosure, and inform the individual of the use or disclosure at the first reasonable opportunity. We will keep the note as part of the record about the individual or in a form that is linked to those records.
The Home may disclose personal health information without an individual’s consent in certain circumstances. While these disclosures without consent are permitted by PHIPA, they are not mandatory, unless they are necessary to carry out a statutory or legal duty. Some examples of permitted disclosures of personal health information without consent include:
if the disclosure is reasonably necessary for providing health care and consent cannot be obtained in a timely manner, unless there is an express request from the individual instructing otherwise;
in order for the Minister of Health and Long-Term Care to provide funding to the custodian for the provision of health care;
for the purpose of contacting a relative or friend or potential substitute decision-maker of an individual who is injured, incapacitated or ill and unable to give consent personally;
to eliminate or reduce a significant risk of serious bodily harm to a person or group of persons;
for the purpose of carrying out an inspection, investigation or similar procedure that is authorized by a warrant, PHIPA or another statute;
for determining or verifying eligibility for publicly funded health care or related goods, services or benefits,
for the purpose of administration and enforcement of various statutes by the professional Colleges and other regulatory bodies;
for the purpose of legal proceedings, in specific circumstances; and
for any purpose required or permitted by law.
Principle 6 – Accuracy
The Home will take reasonable steps to ensure that personal health information is as accurate, complete, and up-to-date as is necessary for the purposes for which it uses the information.
The extent to which personal health information shall be kept accurate, complete and up-to-date will depend upon our use of the information, taking into account the interests of the individual. Information will be kept sufficiently accurate, complete and up-to-date to minimize the possibility that outdated or inappropriate information may be used to make a decision about the individual.
In cases where the Home discloses personal health information, it will ensure that it:
takes reasonable steps to ensure that the information is as accurate, complete and up-to-date as is necessary for the purposes of the disclosure that are known to the Home at the time of the disclosure; or
clearly set out for the recipient of the disclosure the limitations, if any, on the accuracy, completeness or up-to-date character of the information.
Principle 7 – Safeguards
The Home will take reasonable steps to ensure that personal health information in its custody or control is protected from theft, loss and unauthorized use or disclosure.
The Home will ensure that records containing personal health information are protected against unauthorized copying, modification or disposal.
The Home protects personal health information through its utilization of the following::
Physical Measures, such as restricted access to offices or other areas where personal health information is kept, alarm systems, identification badges and other measures deemed to be appropriate in the circumstances;
Administrative Measures, such as policies and procedures regarding the safeguarding of personal health information, privacy training, regular audits of our privacy practices, security clearances and limiting access to personal health information on a “need-to-know basis; and
Technological Measures, such as the use of firewalls, passwords and encryption.
The Home will ensure that personal health information is destroyed in a manner that is in keeping with legal and industry standards so as to prevent unauthorized parties from gaining access to the information.
The Home has established Privacy Breach Guidelines, which adhere to PHIPA and are to be followed in the event of a privacy breach.
The Home will notify an individual at the first reasonable opportunity if personal health information is lost, stolen or accessed, used or disclosed in an inappropriate manner.
Principle 8 – Openness
We are committed to being open about our policies and practices regarding the protection of personal health information.
The information we make available includes:
The contact information of our Privacy Officer, who is accountable for the Home’s personal health information practices and to whom complaints or inquiries can be forwarded;
How to file a complaint with the Information and Privacy Commissioner;
How to request access to a record of personal health information in our custody or control;
How to request that a correction be made to a record of personal health information in our custody or control;
A description of the types of personal health information held by us;
The purposes that we collect, use and disclose personal health information; and
A copy of any brochures or other documentation that explains our personal health information practices.
Principle 9 – Individual Access
An individual may make a written request to obtain access to their record of personal health information in the custody or control of the Home. If access to a record is provided, an individual may then request correction(s) to the record.
The Home will make available a form to request access to a record of personal health information.
The Home will respond to an access request as soon as possible in the circumstances, but no later than thirty (30) days. The Home may extend the time limit for responding by up to an additional thirty (30) days, if:
meeting the initial time period would unreasonably interfere with the operations of the Home, because the information consists of numerous pieces of information or locating the information would necessitate a lengthy search; or
the time required to complete the consultations necessary to reply to the request would make it not reasonably practical to reply within the initial time period.
The Home can charge a fee for access to or provision of a copy of a record of personal health information, provided that the Home provides the individual with an estimate of the fee in advance. The fee must be limited to the amount prescribed by PHIPA or the amount of “reasonable cost recovery”, if no amount is prescribed.
In most cases, access to a record of personal health information will be provided, although the Home can deny access for a number of reasons, including the following:
the individual requesting the record is not legally authorized to obtain the record;
the identity or authority of the individual requesting the record cannot be proven;
the record, or information in the record, is subject to a legal privilege that restricts disclosure;
the record cannot be disclosed by virtue of legislation or court order;
the information in the record was collected/created primarily in anticipation of or for use in a proceeding that has not yet concluded;
the information in the record was collected/created for an inspection/investigation or similar procedure authorized by law that has not yet concluded;
granting access could reasonably be expected to result in a risk of serious harm to the treatment or recovery of the resident at issue or a risk of serious bodily harm to the resident at issue or another person;
it has reasonable grounds to believe that the request is frivolous, vexatious or made in bad faith; or
as otherwise prohibited by law.
If the Home has denied a request for access to record of personal information, it will provide written notice stating that it is refusing the request and that the individual is entitled to make a complaint about the refusal to the Information and Privacy Commissioner. Absent exceptional circumstances, reasons for the refusal will also be provided.
If the Home has granted an individual with access to their record of personal health information, the individual may then request that the Home correct the record, if the individual believes that the record is inaccurate or incomplete.
The Home will make available a form to request correction to a record of personal health information.
The Home will respond to a correction request as soon as possible in the circumstances but no later than thirty (30) days. The Home may extend the time limit for responding by up to an additional thirty (30) days, if:
meeting the initial time period would unreasonably interfere with the activities of the Home; or
the time required to complete the consultations necessary to reply to the request would make it not reasonably practical to reply within the initial time period.
If an individual successfully demonstrates the inaccuracy or incompleteness of their personal health information and provides the necessary information to make the correction, we will amend the information as required. Depending upon the nature of the challenged information, amendments may include the correction, deletion or the addition of information.
If requested by the individual, we will then communicate the correction to persons whom the record was previously disclosed, except where the correction would not affect the provision of ongoing health care or other benefits to the individual.
The Home may deny a request for correction to a record of personal health information for the following reasons:
the Home is not satisfied that the record is incomplete or inaccurate for the purposes for which it uses the information;
it relates to a record that was not originally created by the Home and the Home does not have sufficient knowledge, expertise and authority to correct the record;
it relates to a professional opinion or observation that a health information custodian has made in good faith about the individual; or
it has reasonable grounds to believe that the request is frivolous, vexatious or made in bad faith.
If the Home has denied a request for correction to a record of personal information, it will provide written notice to the individual making the request that it is refusing the request; provide reasons for the refusal; and advise the individual that they are entitled to make a complaint about the refusal to the Information and Privacy Commissioner. In most circumstances, individuals will also be provided with an opportunity to attach a statement of disagreement to their record of personal health information.
Principle 10 – Challenging Compliance
An individual may make inquiries or file a complaint regarding our personal health information practices or any collection, use or disclosure of personal health information, by contacting our Privacy Officer.
We will investigate all such complaints, including by reviewing all relevant records and speaking to all relevant persons. If necessary, we will also contact the individual to clarify the complaint.
After conducting the investigation, we will take all appropriate action in the circumstances, including modifying our policies and procedures, where necessary.
We will ensure that the individual is notified about the outcome of the investigation in a clear and prompt manner.
We will also ensure that the individual is made aware of their right to file a complaint with the Information and Privacy Commissioner.
CSA Model Code for the Protection of Personal Information
Human Resources Manual, Code of Conduct and Business Ethics, Policy ID # E-10
INFORMATION MANAGEMENT SYSTEMS MANUAL
SECTION: PRIVACY INDEX I.D.: H-05
ORIGINAL DATE: July 15, 2005
APPROVED BY: REVISED DATE: September 25, 2019
RESPONSIVE HEALTH MANAGEMENT INC.