Privacy and Confidentiality Policy

Accountability

The Sandy Hill Community Health Centre is responsible for personal information under its control and must maintain its confidentiality at all times. All SHCHC staff share this responsibility. Our responsibilities in protecting information also entail the assurance that third parties maintain the same levels of privacy as SHCHC.

Staff, volunteers, students and associates with access to client and employee information are expected to comply with the Privacy and Confidentiality policy. As part of their orientation to the Centre they are asked to sign an Oath of Confidentiality indicating they understand and agree to abide by the policy. A copy of the signed statement will be kept in the personnel/HR records. The obligation of confidentiality remains in effect even after termination of employment.  

It is the responsibility of the Director of each component to ensure that any person having access to client and employee information is made aware of the policies and procedures concerning confidentiality and that each individual sign the Oath of Confidentiality.

The Privacy Officer

The Executive Director will appoint a designated privacy official. This Privacy Officer receives senior management support and has the authority to intervene on privacy issues relating to any of SHCHC’s operations. The name or title of this individual will be made available both internally and externally to ensure their accessibility.

The Privacy Officer is responsible for facilitating the organization’s compliance with all privacy-related legislation. He or she responds to client’s requests for access to or correction of a record of personal health information and responds to inquiries from staff as well as the public about the Centre’s privacy policies and procedures. Finally, the Privacy Officer receives complaints from staff, clients or the public about privacy and confidentiality-related matters.

Privacy Training

The Privacy Officer is responsible for training and communicating to staff information about the organization’s privacy policies and practices, such as their duties under PHIPA and the role of the Privacy Officer.

Confidentiality of Staff and Centre Information

Employee, Volunteer and Student Information

Each employee, volunteer and student shall maintain the confidentiality of personnel files or employment records of employees, volunteers and students at the Centre.

Business Affairs

An employee or volunteer shall not disclose the business affairs of the Centre and shall not use for his/her purposes or the purposes of any other organization or individual any information that s/he may acquire about the operations of the Centre, as per the conflict of interest policy.

Contracts and Service Agreements

Written contracts will be issued for all services rendered by third parties (such as paper disposal, consultants, cleaners and contractors). A confidentiality clause will be included in the body of the contract. This clause will clearly outline the obligations of both parties regarding confidential records or document in order to achieve compliance with PHIPA.

Purposes of Information Collection

Information will be gathered from the client, participant, employee or third party for specific purposes. This individual must be informed in a meaningful way of the purpose for the collection of personal information at or before the time of collection. SHCHC shall only collect the information it needs to fulfill the identified purpose. When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. 

Example Purposes for Data Collection:

• To provide direct care
• To contact clients/volunteers regarding upcoming events
• To submit information required by funding agencies (e.g. Ministry of Health)
• To plan programs and services
• To employ individuals
• Quality improvement (e.g. Evaluation and chart audits)
• Any other reason needed to provide services

Obtaining Consent

The valid and informed consent of the individual is required for the collection, use or disclosure of personal information, except when required by legislation. The individual’s consent will be obtained before or at the time of collection, as well as when a new use is identified.

Information disclosure will not be made a condition for supplying service, unless the information requested is required to provide the specific service.

Record keeping

Staff and administration shall use consent forms provided by SHCHC. Signed consent forms must be kept in the client/employee file in accordance to the Centre’s Retention Schedule. Verbal consents must be recorded for easy reference in the client’s or employee’s file in case an individual requests an account of such information.

Implied Consent

When SHCHC receives personal health information about an individual for the purpose of providing health care to the individual, the Centre is entitled to assume that it has the individual’s implied consent to collect, use or disclose, to a health information custodian only, the information for the purposes of providing health care to the individual. The Centre may not make this assumption if it is aware that the individual has expressly withheld or withdrawn his consent. Furthermore, it will not assume implied consent if a client’s personal health information was collected for other purposes.

Valid and Informed Consent

Informed Consent means that the client/employee or substitute decision maker has received information that a reasonable person in the same circumstances would require in order to decide about the benefits and risks of providing their information and the alternative courses of action and the consequences of not providing their information.

To ensure informed consent, the service provider must disclose to the client the nature of the information gathering, its purpose, any risks, and the consequences of not providing consent. The practitioner must answer any specific questions posed by the client. The client must always be given the opportunity to rescind their consent. 

In order for consent to be “valid”, the following criteria must be met:

• consent must be voluntary;
• the client must have the physical and mental capacity to consent; and,
• the client must have been properly informed.

When Consent is not Required

There are certain activities for which consent is not required to use or disclose personal health information. These activities are permitted or required by law. For example, we do not need consent from individuals to:

• Plan, administer and manage our internal operations, programs and services
• ngage in quality improvement, error management, and risk management activities
• Participate in the analysis, administration and management of the health care system
• Engage in research (subject to certain rules, e.g. Research Ethics Board approval, creation of a research plan)
• Teach, train and educate our Agents
• Compile statistics for internal or mandatory external reporting
• Respond to legal proceedings
• Comply with mandatory reporting obligations

Competence to Consent

An incapable person cannot provide valid consent. If a practitioner determines a client is unable to consent, a substitute decision-maker must then act on his or her behalf.  All rights of an individual apply to his/her substitute decision-maker.

People who are judged to be incompetent in one instance are not necessarily incompetent in all instances, and may be capable of consenting in a later situation. Also, people have the right to make unreasonable decisions, so long as they are competent and can demonstrate that they fully appreciate the consequences of their decisions.

When a patient’s mental capacity is in doubt:

• The lead service provider makes a judgment as to whether the client is able to appreciate the nature and consequences of their consent.
• The lead service provider, if unable to render an opinion, consults a second service provider, preferably a psychiatrist.
• The lead service provider notes in the client’s file that competency testing and consultation were undertaken, and the conclusion reached.
• The proper substitute decision-maker must make the decisions when an incapable person cannot provide valid consent.
• Findings of incapacity come with obligations according to the law with respect to providing information to their clients.

Withholding or Withdrawal of Consent

If consent is sought, an individual may choose not to give consent or withhold consent. If consent is given, the individual may withdraw consent at any time, but the withdrawal cannot be retrospective. The withdrawal may also be subject to legal or contractual restrictions and reasonable notice.

Limit Collection

Staff members will:

• Limit the amount and type of information gathered to what is necessary for the identified purpose.
• Ensure that there is a justifiable purpose for obtaining and recording information about a client.
• Not collect personal health information by misleading or deceiving individuals about the purpose for which the information is collected.

Limit Use, Disclosure and Retention

Staff Access and Disclosure

SHCHC will use or disclose personal information only for the purpose for which it was collected, unless the individual consents otherwise, or the use or disclosure is authorized by law.

SHCHC strives to offer a range of programs and services that are holistic and recognize that a multitude of factors can affect a client’s health and well-being. For this reason, it is important that there are open lines of communication between service providers and Centre programs to ensure the most effective and efficient utilization of services possible. There are both formal and informal means of sharing information ranging from verbal consultation to referral forms and shared care.

Access to Client and Employee Information

Authorized staff

Personally identifiable information should be restricted to:

• staff providing service to the client, and their supervisor;
• staff member who are providing assistance to the staff providing service to the client;
• staff assigned to tabulate and collate data;
• appropriate administrative personnel; and,
• volunteers and students who need access to parts of client records to complete their work or research.

Case discussions, consultation, examination and treatment are confidential. When staff, client or volunteer safety is at risk (reference the Violence and Banned Client Policies and Procedures) this will take precedence. However, in any instance, the minimum amount of information judged necessary to thwart the potential harm is disclosed.

For problem solving purposes or for finding an appropriate resource for a client, staff do not need to identify clients in any way. If staff members have mutual clients, clients can be identified in discussions. Staff consultations are essential for updating providers on new and pertinent information about a client, seeking consultation and supervision in serving a client or developing plans of care for a client. However, in order to provide clients with comprehensive health care, their personal client information may be shared among those staff members who are directly involved with their care.  Sharing of information is done only when necessary and appropriate to provide clients with quality service.

Sometimes a client may wish to specify that certain staff or third parties not have access to the file or to part of the information therein (Information Lock-box). Refer to the Confidential Lock-Box procedure for more information.

Day to Day Maintenance in the Limitation of Disclosure

• All records are returned to the designated area at the end of the day.
• Appointment and records books are kept closed when not in use and are stored securely when the employee is not at work.
• Cases and clients are not discussed in open areas, such as waiting areas, the kitchen, lunchroom or hallways.
• All telephone conversations are kept as private as possible.
• Client data is never left on computer screens were it could be viewed by a passer-by, nor is it left on the counter of the communication centre.

Retention Time

Staff members will:

• Keep personal information used to make a decision about a person for a reasonable time period. This should allow the person to obtain the information after the decision and pursue redress.
• Providers may keep informal notes about their clients (telephone messages, etc.) that are only needed temporarily. While these notes may not necessarily become part of a client’s file they should be treated with the same level of confidentiality and with the same confidentiality practices. When discarding informal notes care should be taken to ensure that they are destroyed in an appropriate manner.
• Refer to Retention and Destruction of Records Policy for additional information regarding retention time.
• Refer to Documentation Standards Policy.

Accuracy

It is the responsibility of the Centre staff to:

• Create and maintain client records which are clear, concise, comprehensive, professional, and which serve to further the care of the client; and,
• Minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to third parties.

Amendments

Refer to Individual Access Procedure for information on how to amend client records.

Safeguards

The confidential records as well as other documented information belonging to clients and staff members are the property of SHCHC, whose responsibility it is to take all reasonable precautions to secure the information against loss, fire, theft, defacement, tampering, access or copying by unauthorized persons.

Security safeguards are intended to protect personal information. Appropriate security safeguards will be used to provide necessary protection, regardless of the format in which it is held, such as physical measures (e.g. restricting access to offices), technological tools (e.g. passwords) and organizational controls (e.g. confidentiality agreements, electronic health records access audit). Employees are to access computers, files and other recorded information of the SHCHC and its programs only as authorized and required for the effective delivery of programs.

Telephone, Fax or E-mail Client Information Disclosures

Information is only disclosed following proper consent practices. Information is never given to anyone if there is any question as to the person’s identity (see Electronic Disclosure of PHI Procedure).

Security Measures for the Proper Storage of Information

Secure access shall be assured in all areas where client and employee information records are kept including case files, records stored in computer banks, central file areas and any sub-systems created for convenience.

Locked cabinets, locked shelves or a locked room in which records information is housed will assure security. Client personal information will not be transmitted via email, including names if the email is about client care issues.

Client files will not be removed from the Centre unless the Director provides special authorization. The removal of confidential information in any form from the Centre premises is discouraged and must comply with established practices. Anyone removing confidential information is accountable for protecting such information until it is safely returned to the Centre.

Confidential client information stored in computers and external memory drives (ex: USB sticks) can be accidentally destroyed or stolen. It is the responsibility of all users to protect the information stored on their personal computers. Electronic devices (mobile phones, , laptops, etc.) must be password protected in the event they are lost or stolen.  Staff who occasionally work from home must ensure they are working over a secure network and that no one else in the home has access to client information. The more confidential and sensitive the information, the more comprehensive the measures to protect it must be taken.

The photocopying of client records is the responsibility of authorized staff. All copies of information sent outside the Centre must be endorsed with the date the material was sent and contain the label “copy”.

Openness

The following information will be readily available to staff, Board of Directors, volunteers, students and clients:

• information about our policies and practices relating to the management of personal information;
• name and contact information for the Privacy Officer (in order to access information, inquire about our privacy policies or make a complaint);
• how access requests should be sent; 
• how an individual can gain access to his or her personal information;
• how to comment, complain or inquire about privacy issues; and,
• Brochures or other information that explain your SHCHC’s policies, standards or codes for confidentiality.

SHCHC will ensure the policies and practices are understandable and easily accessible.

Clients must be told during their first visit (with the exception of a few anonymous services offered by the Centre, ex: the Junction) and as required, about the policy of sharing information within the Centre and with professionals to whom they may be referred. They are invited to ask their practitioner further questions. They are asked to sign a General Consent form.

It is stressed that information is only shared as necessary to give optimum health care. Clients are assured that no information from their records will be released to anyone except as above without their express consent. They are also informed at their first visit that they have access to their personal information records.

Clients are also made aware of the limits of the confidentiality policy and mandatory disclosure.

Give Individuals Access

Upon request, a client shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information.

File Amendments

An individual can challenge the accuracy and completeness of the information and make requests for any corrections added to his/her file. A client may request that his/her practitioner amend his/her health care record. This amendment will be added to the file, the original will not be altered. If a correction is requested and is not made, the client may further their complaint to the Privacy Officer or other relevant officials. Refer to the Individual Access Procedure for additional information.

Obtaining Access

Refer to the Access to Client Records Procedure for additional information.

Privacy Breaches and Audits

A privacy breach occurs whenever a person contravenes or is about to contravene a rule under PHIPA or this Privacy Policy or related policies and procedures of the Centre, including in cases where an individual’s information is lost, stolen or accessed by an unauthorized person. 

The Centre will conduct random audits routinely, and as deemed necessary in a given circumstance. Failure to comply with PHIPA, this Privacy Policy, related policies and procedures of the Centre, whether intentionally or inadvertently, may result in disciplinary action of the Agent, up to and including termination of employment, privilege, or services.

All privacy breaches must be reported immediately to the Privacy Officer. Refer to Centre's Privacy Breach Procedure for additional information. 

Challenging Compliance

Any individual (staff, client, etc) is able to launch a challenge concerning compliance with the above principles to the Privacy Officer.

Upon a challenge, SHCHC will:

• have available simple and easily accessible complaint procedures (see Client Feedback Policy);
• inform complainants of avenues of recourse;
• investigate all complaints received;
• investigate and remedy any breach of information with the client’s best interest in mind;
• take appropriate measures to correct information handling practices and procedures; and
• record the date a complaint is received and the nature of the complaint.

The Privacy Officer will review all feedback, make changes to the policy as needed and ensure feedback response meets legislative rights and timeliness. The Officer will notify the Information and Privacy Commissioner (IPC) as necessary.

The IPC oversees the Organization’s compliance with privacy rules and PHIPA. Anyone can make an inquiry or complaint directly to the IPC by writing to or calling:

Information and Privacy Commissioner of Ontario

2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8 Canada
Phone: 1 (800) 387-0073 (or 416-326-3333 in Toronto)
Fax: 416-325-9195
www.ipc.on.ca