Aberdeen's Privacy Statement (Ontario - PHIPA)

Aberdeen and Your Right to Privacy:

The Personal Health Information Protection Act (2004) 

 

The Personal Health Information Protection Act (PHIPA) became law on November 1, 2004. What this law does is:

  1. It creates a common set of rules for the collection, use and disclosure(sharing) of personal health information (PHI) for use by “health information custodians” (custodians)
  2. It requires certain procedures to be in place to protect PHI.
  3. It describes the times when  a healthcare worker can share PHI within their own agency, and circumstances in which they can or must give it to someone outside their agency.
  4. It provides rules for consent, capability and substitute decision-making in relation to PHI.
  5. It promotes the appropriate sharing of PHI so that clients can receive and benefit from integrated health services (health services that work together).
  6. It creates rules for access to and correction of records of PHI.
  7. It designates the Information and Privacy Commissioner of Ontario as the body that oversees compliance with the Act.

Health information Custodians

A custodian can be defined as: 1.  A person responsible for something valuable: 2.  somebody responsible for holding or looking after valuable property on behalf of a company or another person. (Definition from Encarta)

Aberdeen is considered a “health information custodian” (custodians). This means we are custodians of your personal health information. How we get that information, protect it and  use, store and delete your health information is explained in the PHIPA (Personal Health Information Protection Act).

Aberdeen’s Health Information Management System (HIM) is in place to ensure we are acting in accordance with the Fair Information Practice Principles set out in federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) and the provincial privacy legislation, Bill 31, the Health Information Protection Act (HIPA) [specifically, Schedule A, also known as the Personal Health Information Protection Act (PHIPA)]. These pieces of legislation all relate to the collection, use, disclosure and retention of personal information.

At Aberdeen, along with our partners in care, we make an effort to move to a more digital age, our commitment to protecting your health information remains constant. That said, the way we do that may change.

We make sure all of our staff know about and support our HIM policies and practices. All staff and volunteers sign a confidentiality agreement when hired and, starting this year, staff will sign the agreement every year.

The following Aberdeen policies are part of our Health Information Management System:

  1. Confidentiality Agreement
  2. Client In-Home Record
  3. Retention and Destruction of Health Records
  4. Shared Client Records
  5. Requests to View Client Records
  6. Request to Amend the Client Record
  7. Aberdeen’s Privacy Policy – information sheet for clients

As mentioned above, the Personal Health Information Protection Act (PHIPA) came into being in 2004.  It is structured on the 10 Fair Information Practices published by the Canadian Standards Association (CSA), which form the basis of most privacy legislation around the world.

Accountability for Aberdeen’s obedience to the principles rests with the Board and/or Executive Director having overall accountability, with delegated authority to the Chief Privacy Officer, (CPO) although other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s).

Our Chief Privacy Officer oversees and monitors Aberdeen’s compliance with the principles.

Aberdeen’s policies and processes uphold the 10 fair information practices. Those 10 practices or principles are:

Principle 1 - Accountability for Personal Information

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

Aberdeen is responsible for personal information in its possession or custody, including information that needs to be transferred to another organization for processing. Aberdeen shall use contract agreements or other legal means to provide an equal level of protection while the information is being processed by the other organization.


Principle 2 - Identifying Purposes for Collecting Personal Information

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

The main purposes for which personal information is collected are: the delivery of care, client health education, teaching of health care students, assuring quality of services, managing risk, research and statistical analysis, and to meet legal and regulatory requirements.

Aberdeen identifies the purposes for which personal information is collected in order to obey with this Principle as well as the Openness Principle (#8), and the Individual Access Principle (#9).

When personal information that has been collected is to be used for a purpose not listed above, the new purpose shall be identified prior to use. Unless the new purpose is required or allowed by law, the consent of the individual is necessary before information can be used for the new purpose.

Persons who collect personal information will be able to explain the purpose(s) for which the information is being collected.  Sometimes the new use for the information is explained in something like an  admission or appointment form, brochures.

Principle 3 - Consent for Collection, Use and Disclosure of Personal Information

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Consent means the client’s permission.  Consent is required for the collection of personal information and the following use or disclosure of this information. Where possible, Aberdeen shall seek consent for the use or disclosure of personal information at the time the information is collected. In emergency situations this is sometimes not possible.

Aberdeen shall make a reasonable effort to ensure that individuals are made aware of the reasons information is being used or disclosed. The reasons/purposes must be stated in a way that the client/individual understands how the information will be disclosed – this will ensure that the consent is meaningful. 

In the consent process, the reasonable expectations of the client/individual are important.

Here’s an example:  

An individual who has an appointment at the Nurse Practitioner Clinic for blood tests must reasonably expect that Aberdeen, in addition to using the individual's personal information for treatment purposes, may also contact the collaborating physician to report results or place the individual on a waiting list.

In some cases, Aberdeen may assume the individual's request for service is an implied consent for specific, related purposes. On the other hand, an individual would not reasonably expect that personal information given to Aberdeen would be given to a company selling health care products, for example, unless specific consent was obtained.

Sometimes personal information may be collected, used, or disclosed without the consent of the individual. For example, legal or security reasons may make it impossible to seek consent. When personal information is disclosed for the detection and prevention of fraud or for law enforcement purposes, seeking the consent of the individual may not be required.


As well, the process for consent may be different, depending on the circumstances, the type of information collected and the requirements of applicable legislation. For example, someone like a  legal guardian, substitute decision-maker as defined under the Health Care Consent Act, 1996, or client 's representative under the Mental Health Act may consent to the collection, use or disclosure of personal information on behalf of the person whom they are legally authorized to represent.

Individuals may give consent in a variety of ways:

  1. An appointment form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
  2. Consent may be given orally when information is collected over the telephone, and should be so recorded; or
  3. Consent may be given at the time that the individual receives a service or treatment.

Consent shall not be obtained through dishonesty or intimidation.

Consent may be withdrawn at any time, subject to legal or contract related restrictions and reasonable notice. Aberdeen shall inform the individual of the right to and the implications of withdrawal of consent. Withdrawal is not retroactive and is only valid on a ‘go forward' basis.

Principle 4 - Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Aberdeen shall specify the type of information that may be collected as part of its information-management policies and practices, in accordance with the Openness principle. Both how much and what kind of  personal information collected will be limited to that which is necessary to fulfill the purposes identified.

Principle 5 - Limiting Use, Disclosure, and Retention of Personal Information

Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.

When using personal information for a new purpose, Aberdeen will document this purpose.

Aberdeen and individual departments, as appropriate, shall develop policies, guidelines and/or procedures with respect to the disclosure and retention of personal information. Legislative requirements with respect to the retention and destruction of personal information will be applicable.

Client health records created by Aberdeen will be maintained such that previous records will be pulled forward and filed with current activity records. Records will be stored in hard copy until they are eligible for destruction.

Principle 6 - Accuracy of Personal Information

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

The extent to which personal information will be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information will be sufficiently accurate, complete, and up-to-date to minimize the possibility that incorrect information may be used to make a decision about the individual. Organizational, professional, legislative and industry standards will be taken into consideration, as applicable.

Aberdeen will update personal information, to ensure that it is accurate and complete; this is performed at each time a client starts service with Aberdeen.

Principle 7 - Safeguards for Personal Information

Security safeguards appropriate to the sensitivity of the information shall protect personal information.

The Security safeguards will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. Aberdeen will protect personal information regardless of its format (e.g.: verbal, written, etc.). Each department will routinely review and ensure staff are following Aberdeen’s Health Information Management Policy and Procedures to safeguard personal information, specific to its circumstances.

The methods of protection will include the following measures:

*       Physical/Equipment  (e.g. locked filing cabinets and restricted access to offices)

*       Administrative (e.g. confidentiality agreements and limited access for staff)

*       Technological (e.g. the use of passwords, access controls)

Due diligence and care will be used in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information.

Principle 8 - Openness about Privacy Policy

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Aberdeen shall be open about its policies and practices with respect to the management of personal information. Individuals will be able to acquire information about its policies and practices without unreasonable effort. This information will be made available in a form that is generally understandable.

Information made available will include:

  1. The name or title and address of the person who is accountable for Aberdeen’s  policies and practices, and to whom complaints or inquiries can be forwarded;
  2. The ways to gain access to personal information held by Aberdeen;
  3. A description of the types of personal information held by Aberdeen, including a general explanation of its use;
  4. A copy of any brochures or other information that explain Aberdeen’s  policies, standards or codes; and
  5. What personal information is made available to related organizations (e.g. the CCAC)

Aberdeen makes information on its policies and practices available in a variety of ways. For example, a written commitment to privacy is given to each client, information is published online, and an informational telephone number is published on Aberdeen Internet page.

Principle 9 - Individual Access to Personal Information

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Upon request, Aberdeen will tell an individual whether or not Aberdeen holds personal information about the individual. Aberdeen will allow the individual access to his/her own information in accordance with relevant legislative requirements. In order to receive access to one's own hospital record, a written request must be made to Aberdeen’s Executive Director. In compliance with PHIPA and the Mental Health Act (MHA), Aberdeen has processes in place relating to access and disclosure of mental health records.

An individual is required to provide enough information to allow Aberdeen to figure out if there is information on that individual, its use, and disclosure of his or her personal information. The information provided will only be used for this purpose. Aberdeen may choose to help you understand the information by having it explained to your by a nurse or Nurse Practitioner..

When a person can show ,to our satisfacaation, that the health information we have about then is  wrong or  is missing some information  it may be  corrected. If the record is corrected, the correction will be put with the record as an additional piece of information. Clinical information and opinions will not be deleted from the health record.

Sometimes, Aberdeen may not be able to provide access to all personal information about an individual. Exceptions may include information that is too costly to provide, information that contains references to other individuals, information that cannot be disclosed due to legal, security or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

Principle 10 - Challenging Compliance with the Privacy Policy

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

The Executive Director or Chief Privacy Officer shall be accountable for Aberdeen’s compliance with these Principles and legislative requirements under PHIPA. Aberdeen will put procedures in place to receive and respond to complaints or inquiries about policies and practices relating to the handling of personal information. Aberdeen is committed to investigating all complaints and to taking appropriate action, including where necessary, modifying policies and practices.

REFERENCES

1.  Ontario, Provincial Legislature, Personal Health Information Protection Act, 2004, S.O. 2004, c, 3, Sched A. (Online) Available: http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/04p03_e.htm

2.  Canada. Parliament. House of Commons. Personal Information Protection and Electronic Documents Act, R.S.C. 2000, c-5. (Online) Available: http://laws.justice.gc.ca/en/P-8.6/index.html

3.  Yamashita M, et al. Ontario Hospital Association (OHA). Ontario Hospital eHealth Council. Privacy and Security Working Group. Guidelines for Managing Privacy, Data Protection and Security for Ontario Hospitals. July, 2003.

4.  COACH: Canada's Health Informatics Association. Security and Privacy Committee. Guidelines for the Protection of Health Information. May, 2001

5.  Ontario, Provincial Legislature, Mental Health Act, R.S.O. 1990

6.  FACT SHEET: Secure Destruction of Personal Information Published by Office o Privacy Commissioner/Ontario. Nov 2005

 

click here to send email to our privacy officer