This policy applies to all SHCHC staff.
In order to provide quality care and services to our clients, we are required to collect and use personal information. The Sandy Hill Community Health Centre (SHCHC) is committed to protecting the privacy, confidentiality and security of all information gathered from clients, staff and volunteers. The purpose of this policy is to ensure SHCHC’s compliance with relevant legislation (PHIPA), and therefore preventing the inappropriate collection, use and disclosure of personal information.
SHCHC recognizes the dignity and self-worth of every person and their right to a safe, secure and trusting care environment. The client has the right to considerate and respectful care. The client also has the right to decision making affecting his/her health. Personal information is given to the Centre in trust. It is mandatory that the information remains confidential. It is important that information not circulate outside of the health centre in an unauthorized manner, and it also should not pass between staff for reasons other than appropriate consultations.
Personal Information:
This policy addresses the uses of personal information of clients, staff and volunteers. Personal information is any factual or subjective information, recorded or not, about an identifiable individual. Employee personal information does not include the name, job title, work telephone number or work address, or anything that might appear on a business card.
Personal health information:
Personal health information is defined in the Personal Health Information Protection Act (PHIPA) as identifying information relating to the physical or mental health of an individual, the provision of health care to an individual, the identification of the substitute decision-maker for the individual and the payment or eligibility of an individual for health care or coverage for health care, including the individual’s health number. For the purpose of abbreviation the terms “personal information” and “personal health information” will be interchangeable in this document.
Health information custodian:
A health information custodian, as defined by PHIPA, refers to a person or organization who has custody or control of personal health information as a result of, or in connection with performing health care services. Examples include: hospitals, pharmacies, community and mental health services, ambulances, long-term care homes, addiction treatment centres, etc.
(Custodians do NOT include: housing services, prisons/detention centres, ODSP, OW, police, attorneys, food banks, shelters, CAS, etc.).
Agents:
“Agents”, including any person or entity that acts on the Centre’s behalf, have a defined role under PHIPA. They may collect, use, disclose, retain, or dispose of personal health information on the Centre’s behalf as permitted or required by law; and only as directed by the Centre. Agents must notify the Privacy Officer at the first reasonable opportunity if personal health information they handle on behalf of the Centre is stolen, lost or accessed by unauthorized persons.
We require any Agent who collects, uses or discloses personal health information on our behalf to be aware of the importance of maintaining the confidentiality of personal health information. This is done through the signing of the Oath of Confidentiality, privacy training, and contractual means.
Privacy Officer:
The following individual has been designated as the Privacy Officer:
Kyle Heney
Risk Management Officer / Property Manager
613-789-1500 x 2509
kheney@sandyhillchc.on.ca
Accountability
The Sandy Hill Community Health Centre is responsible for personal information under its control and must maintain its confidentiality at all times. All SHCHC staff share this responsibility. Our responsibilities in protecting information also entail the assurance that third parties maintain the same levels of privacy as SHCHC.
Staff, volunteers, students and associates with access to client and employee information are expected to comply with the Privacy and Confidentiality policy. As part of their orientation to the Centre they are asked to sign an Oath of Confidentiality indicating they understand and agree to abide by the policy. A copy of the signed statement will be kept in the personnel/HR records. The obligation of confidentiality remains in effect even after termination of employment.
It is the responsibility of the Director of each component to ensure that any person having access to client and employee information is made aware of the policies and procedures concerning confidentiality and that each individual sign the Oath of Confidentiality.
The Privacy Officer
The Executive Director will appoint a designated privacy official. This Privacy Officer receives senior management support and has the authority to intervene on privacy issues relating to any of SHCHC’s operations. The name or title of this individual will be made available both internally and externally to ensure their accessibility.
The Privacy Officer is responsible for facilitating the organization’s compliance with all privacy-related legislation. He or she responds to client’s requests for access to or correction of a record of personal health information and responds to inquiries from staff as well as the public about the Centre’s privacy policies and procedures. Finally, the Privacy Officer receives complaints from staff, clients or the public about privacy and confidentiality-related matters.
Privacy Training
The Privacy Officer is responsible for training and communicating to staff information about the organization’s privacy policies and practices, such as their duties under PHIPA and the role of the Privacy Officer.
Confidentiality of Staff and Centre Information
Employee, Volunteer and Student Information
Each employee, volunteer and student shall maintain the confidentiality of personnel files or employment records of employees, volunteers and students at the Centre.
Business Affairs
An employee or volunteer shall not disclose the business affairs of the Centre and shall not use for his/her purposes or the purposes of any other organization or individual any information that s/he may acquire about the operations of the Centre, as per the conflict of interest policy.
Contracts and Service Agreements
Written contracts will be issued for all services rendered by third parties (such as paper disposal, consultants, cleaners and contractors). A confidentiality clause will be included in the body of the contract. This clause will clearly outline the obligations of both parties regarding confidential records or document in order to achieve compliance with PHIPA.
Purposes of Information Collection
Information will be gathered from the client, participant, employee or third party for specific purposes. This individual must be informed in a meaningful way of the purpose for the collection of personal information at or before the time of collection. SHCHC shall only collect the information it needs to fulfill the identified purpose. When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use.
Example Purposes for Data Collection:
Obtaining Consent
The valid and informed consent of the individual is required for the collection, use or disclosure of personal information, except when required by legislation. The individual’s consent will be obtained before or at the time of collection, as well as when a new use is identified.
Information disclosure will not be made a condition for supplying service, unless the information requested is required to provide the specific service.
Record keeping
Staff and administration shall use consent forms provided by SHCHC. Signed consent forms must be kept in the client/employee file in accordance to the Centre’s Retention Schedule. Verbal consents must be recorded for easy reference in the client’s or employee’s file in case an individual requests an account of such information.
Implied Consent
When SHCHC receives personal health information about an individual for the purpose of providing health care to the individual, the Centre is entitled to assume that it has the individual’s implied consent to collect, use or disclose, to a health information custodian only, the information for the purposes of providing health care to the individual. The Centre may not make this assumption if it is aware that the individual has expressly withheld or withdrawn his consent. Furthermore, it will not assume implied consent if a client’s personal health information was collected for other purposes.
Valid and Informed Consent
Informed Consent means that the client/employee or substitute decision maker has received information that a reasonable person in the same circumstances would require in order to decide about the benefits and risks of providing their information and the alternative courses of action and the consequences of not providing their information.
To ensure informed consent, the service provider must disclose to the client the nature of the information gathering, its purpose, any risks, and the consequences of not providing consent. The practitioner must answer any specific questions posed by the client. The client must always be given the opportunity to rescind their consent.
In order for consent to be “valid”, the following criteria must be met:
When Consent is not Required
There are certain activities for which consent is not required to use or disclose personal health information. These activities are permitted or required by law. For example, we do not need consent from individuals to:
Competence to Consent
An incapable person cannot provide valid consent. If a practitioner determines a client is unable to consent, a substitute decision-maker must then act on his or her behalf. All rights of an individual apply to his/her substitute decision-maker.
People who are judged to be incompetent in one instance are not necessarily incompetent in all instances, and may be capable of consenting in a later situation. Also, people have the right to make unreasonable decisions, so long as they are competent and can demonstrate that they fully appreciate the consequences of their decisions.
When a patient’s mental capacity is in doubt:
Withholding or Withdrawal of Consent
If consent is sought, an individual may choose not to give consent or withhold consent. If consent is given, the individual may withdraw consent at any time, but the withdrawal cannot be retrospective. The withdrawal may also be subject to legal or contractual restrictions and reasonable notice.
Limit Collection
Staff members will:
Limit Use, Disclosure and Retention
Staff Access and Disclosure
SHCHC will use or disclose personal information only for the purpose for which it was collected, unless the individual consents otherwise, or the use or disclosure is authorized by law.
SHCHC strives to offer a range of programs and services that are holistic and recognize that a multitude of factors can affect a client’s health and well-being. For this reason, it is important that there are open lines of communication between service providers and Centre programs to ensure the most effective and efficient utilization of services possible. There are both formal and informal means of sharing information ranging from verbal consultation to referral forms and shared care.
Access to Client and Employee Information
Authorized staff
Personally identifiable information should be restricted to:
Case discussions, consultation, examination and treatment are confidential. When staff, client or volunteer safety is at risk (reference the Violence and Banned Client Policies and Procedures) this will take precedence. However, in any instance, the minimum amount of information judged necessary to thwart the potential harm is disclosed.
For problem solving purposes or for finding an appropriate resource for a client, staff do not need to identify clients in any way. If staff members have mutual clients, clients can be identified in discussions. Staff consultations are essential for updating providers on new and pertinent information about a client, seeking consultation and supervision in serving a client or developing plans of care for a client. However, in order to provide clients with comprehensive health care, their personal client information may be shared among those staff members who are directly involved with their care. Sharing of information is done only when necessary and appropriate to provide clients with quality service.
Sometimes a client may wish to specify that certain staff or third parties not have access to the file or to part of the information therein (Information Lock-box). Refer to the Confidential Lock-Box procedure for more information.
Day to Day Maintenance in the Limitation of Disclosure
Retention Time
Staff members will:
Accuracy
It is the responsibility of the Centre staff to:
Amendments
Refer to Individual Access Procedure for information on how to amend client records.
Safeguards
The confidential records as well as other documented information belonging to clients and staff members are the property of SHCHC, whose responsibility it is to take all reasonable precautions to secure the information against loss, fire, theft, defacement, tampering, access or copying by unauthorized persons.
Security safeguards are intended to protect personal information. Appropriate security safeguards will be used to provide necessary protection, regardless of the format in which it is held, such as physical measures (e.g. restricting access to offices), technological tools (e.g. passwords) and organizational controls (e.g. confidentiality agreements, electronic health records access audit). Employees are to access computers, files and other recorded information of the SHCHC and its programs only as authorized and required for the effective delivery of programs.
Telephone, Fax or E-mail Client Information Disclosures
Information is only disclosed following proper consent practices. Information is never given to anyone if there is any question as to the person’s identity (see Electronic Disclosure of PHI Procedure).
Security Measures for the Proper Storage of Information
Secure access shall be assured in all areas where client and employee information records are kept including case files, records stored in computer banks, central file areas and any sub-systems created for convenience.
Locked cabinets, locked shelves or a locked room in which records information is housed will assure security. Client personal information will not be transmitted via email, including names if the email is about client care issues.
Client files will not be removed from the Centre unless the Director provides special authorization. The removal of confidential information in any form from the Centre premises is discouraged and must comply with established practices. Anyone removing confidential information is accountable for protecting such information until it is safely returned to the Centre.
Confidential client information stored in computers and external memory drives (ex: USB sticks) can be accidentally destroyed or stolen. It is the responsibility of all users to protect the information stored on their personal computers. Electronic devices (mobile phones, , laptops, etc.) must be password protected in the event they are lost or stolen. Staff who occasionally work from home must ensure they are working over a secure network and that no one else in the home has access to client information. The more confidential and sensitive the information, the more comprehensive the measures to protect it must be taken.
The photocopying of client records is the responsibility of authorized staff. All copies of information sent outside the Centre must be endorsed with the date the material was sent and contain the label “copy”.
Openness
The following information will be readily available to staff, Board of Directors, volunteers, students and clients:
SHCHC will ensure the policies and practices are understandable and easily accessible.
Clients must be told during their first visit (with the exception of a few anonymous services offered by the Centre, ex: the Junction) and as required, about the policy of sharing information within the Centre and with professionals to whom they may be referred. They are invited to ask their practitioner further questions. They are asked to sign a General Consent form.
It is stressed that information is only shared as necessary to give optimum health care. Clients are assured that no information from their records will be released to anyone except as above without their express consent. They are also informed at their first visit that they have access to their personal information records.
Clients are also made aware of the limits of the confidentiality policy and mandatory disclosure.
Give Individuals Access
Upon request, a client shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information.
File Amendments
An individual can challenge the accuracy and completeness of the information and make requests for any corrections added to his/her file. A client may request that his/her practitioner amend his/her health care record. This amendment will be added to the file, the original will not be altered. If a correction is requested and is not made, the client may further their complaint to the Privacy Officer or other relevant officials. Refer to the Individual Access Procedure for additional information.
Obtaining Access
Refer to the Access to Client Records Procedure for additional information.
Privacy Breaches and Audits
A privacy breach occurs whenever a person contravenes or is about to contravene a rule under PHIPA or this Privacy Policy or related policies and procedures of the Centre, including in cases where an individual’s information is lost, stolen or accessed by an unauthorized person.
The Centre will conduct random audits routinely, and as deemed necessary in a given circumstance. Failure to comply with PHIPA, this Privacy Policy, related policies and procedures of the Centre, whether intentionally or inadvertently, may result in disciplinary action of the Agent, up to and including termination of employment, privilege, or services.
All privacy breaches must be reported immediately to the Privacy Officer. Refer to Centre's Privacy Breach Procedure for additional information.
Challenging Compliance
Any individual (staff, client, etc) is able to launch a challenge concerning compliance with the above principles to the Privacy Officer.
Upon a challenge, SHCHC will:
The Privacy Officer will review all feedback, make changes to the policy as needed and ensure feedback response meets legislative rights and timeliness. The Officer will notify the Information and Privacy Commissioner (IPC) as necessary.
The IPC oversees the Organization’s compliance with privacy rules and PHIPA. Anyone can make an inquiry or complaint directly to the IPC by writing to or calling:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8 Canada
Phone: 1 (800) 387-0073 (or 416-326-3333 in Toronto)
Fax: 416-325-9195
www.ipc.on.ca