This policy addresses the uses of personal information of clients, staff and volunteers. Personal information is any factual or subjective information, recorded or not, about an identifiable individual. Employee personal information does not include the name, job title, work telephone number or work address, or anything that might appear on a business card.
Personal Health Information
Personal health information is defined in the Personal Health Information Protection Act (PHIPA) as identifying information relating to the physical or mental health of an individual, the provision of health care to an individual, the identification of the substitute decision-maker for the individual and the payment or eligibility of an individual for health care or coverage for health care, including the individual's health number. For the purpose of abbreviation the terms "personal information" and "personal health information" will be interchangeable in this document.
Health Information Custodian
A health information custodian, as defined by PHIPA, refers to a person or organization that has custody or control of personal health information as a result of, or in connection with performing health care services. Examples include: hospitals, pharmacies, community and mental health services, ambulances, long-term care homes, addiction treatment centres, etc. Custodians do NOT include: housing services, prisons/detention centres, ODSP, OW, police, attorneys, food banks, shelters, CAS, etc.
The Privacy Officer
The CEO will appoint a designated privacy official. This Privacy Officer receives senior management support and has the authority to intervene on privacy issues relating to any of NWCHC's operations. The name or title of this individual will be made available both internally and externally to ensure their accessibility.
The Privacy Office is responsible for facilitating the organization's compliance with all privacy-related legislation. He or she responds to client's requests for access to or correction of a record of personal health information and respond to inquiries from staff as well as the public about the Centre's privacy policies and procedures. Finally, the Privacy Officer receives complaints from staff, clients or the public about privacy and confidentiality-related matters.
The Privacy Officer is responsible for training and communicating to staff information about the organization's privacy policies and practices, such as their duties under PHIPA and the role of the Privacy Officer.
The valid and informed implied or expressed consent is required for the collection, use or before disclosing personal health information, except when required by legislation. Information disclosure will not be made a condition for supplying service, unless the information requested is required to provide the specific service.
Implied consent may be implied either by the words or the behaviour of the client or by the circumstances under which treatment is given. For example, where a client arranges an appointment with a health care provider, volunteers a history and submits without objection to physical examination, consent for the examination is clearly implied. Sharing of information with others involved within the patient's circle of care can occur with implied consent.
Valid expressed consent may be oral or in written form and should be documented in the client's chart. The client's expressed consent is required before personal information can be disclosed to a family member or friend, unless the client is a child and is not deemed to be a competent decision maker.
The client's written expressed consent is required for providing personal information outside of the circle of care, except when directed by statute or law.
To be valid, implied or expressed consent must be:
- Voluntarily given, in the absence of any coercion or duress
- Given by a competent person or a substitute decision-maker who has the capacity and authority to consent on the client's behalf
- The client or substitute decision maker must have been properly informed (why we are collecting information, how we may use or disclose it, and what they must to do withhold or withdraw their consent).
For more information on consent to medical treatment, refer to Consent to Medical Treatment policy.
For more information on substitute decision maker, refer to Substitute Decision Maker policy.
For more information on when consent is not required to release information to a third party, refer to Third Party Request to Medical Record.
Circle of Care
The term "circle of care" describes those who provide health care or assist in providing health care to a particular client of the NWCHCs. Members of a particular client's "circle of care" can provide health care to the client, confidently assuming that they have consent to collect, use and disclose the client's personal health information relevant to the care and for the purpose of that care, unless they know that the client has expressly withheld or withdrawn consent.
Health Care is defined as any observation, examination, assessment, care, service or procedure that is done for a health-related purpose that;
- is carried out or provided to diagnose, treat or maintain an individual's physical or mental condition;
- is carried out or provided to prevent disease or injury or to promote health; or
- is carried out or provided as part of palliative care and includes,
- the compounding, dispensing or selling of a drug, a device, equipment or any other items to an individual, or for the use of an individual, pursuant to a prescription, and
- a community service that is described in subsection 2 (3) of the Home Care and Community Services Act, 1994 and provided by a service provider within the meaning of that Act.
Need to Know Principle
NWCHCs will maintain a clear, barrier-free and timely process for the exchange of information amongst client's circle of care, while limiting the exchange to the minimum relevant to the situation and required to provide quality care.
As part of their role at the NWCHCs, staff may have access to the personal health information of clients. Unless the staff is involved in the delivery of health care to the client or in a function to support the delivery of health care (e.g. scanning in EMR), staff should not have access to the personal health information of clients. The act of accessing a client's personal health information is considered access. In the EMR at NWCHCs, this activity is tracked within the EMR and is subject to audits.
The provider-client relationship is built on the trust that the information is for the purpose of the provision of health care and will be used for those involved in the client's care on a need to know basis. When a staff external to the circle of care accesses a client's personal health information, they are breaching this trust and may be subject to disciplinary action.
Staff who have family members who are patients of the NWCHC should notify the Privacy Officer. Staff are encouraged not to handle personal and health information as part of their role and refer the case to another staff member where possible.
Lock Box Provision
Clients have the ability to withhold or withdraw their consent for the collection, use or before disclosing personal health information, including for the provision of health care. This occurs through the "lock box" provision where the client can request that:
- A particular item be "locked"
- Their entire record be "locked"
- Disclosure to a particular custodian (e.g. one social worker) not occur
- Disclosure to a class of custodian (e.g. social workers) not occur
For our purposes, the personal health information if not locked but masked and unauthorized access can be traced.
If a request for the "lock box" provision is made, it is recommended that a discussion occur with the client on how this might affect the health care provision. Once locked by withholding or withdrawing consent, the custodian cannot collect, use or disclose the information unless the client changes their mind or the disclosure can be made without consent.
For more information on the lock box provision, refer to the Lock Box Policy.
Staff Authorized to Access Personal Information
Personally identifiable information should be restricted to:
- Staff providing service to the client, and their supervisor;
- Staff member who are providing assistance to the staff providing service to the client;
- Staff assigned to tabulate and collate data;
- Appropriate administrative personnel; and,
- Volunteers and students who need access to parts of client records to complete their work or research.
Limiting the Collection, Use and Disclosure of Personal Information
We limit the collection, use and disclosure of your personal information to only what is necessary to provide you with the healthcare that you have requested. In order to do this, we collect, use and disclose your personal information for the following purposes (our "Identified Purposes"):
- Establishing and maintaining communications with our clients;
- Verifying your personal information with government agencies, insurance reporting agencies
- Compiling statistics;
- Complying with the law or requests of law enforcement agencies or regulators;
- Identify the most appropriate services for our clients;
- Make certain they are eligible for these services;
- Share with other service providers (as they client allows us to) to organize their support;
- Maintain billing and accounting information related to the services they use;
When we collect personal information, we are doing so for all of the Identified Purposes simultaneously.
Client Access to their Personal Health Record
With some exceptions, the Personal Health Information Protection Act provides individuals with a right of access to records of their own personal health information. The right of access applies to a record that is dedicated primarily to the individual. If the record is not primarily about the individual, the right of access extends only to that portion of the record that is about the individual. However, a person does not have a right of access to personal health information in a record that is dedicated primarily to the personal health information of another person. A client who is not satisfied with a decision of the Centre with regard to the correction of a record is entitled to complain to the Information and Privacy Commissioner.
For more information on how clients can access their personal information, refer to Access to Client Record Procedure.
Correction to Personal Health Record
If a client believes that a record of personal health information is not as accurate or complete as necessary for its purpose, the client may make a written request to the Centre to correct the record. The Centre has 30 days to respond to the request. A client who is not satisfied with a decision of the Centre with regard to the correction of a record is entitled to complain to the Information and Privacy Commissioner.
For more information on how clients can request corrections to their personal information, refer to Clients Access to their Medical Records.
Accuracy of Health Records
Norwest CHC will work to keep personal information as accurate, complete and up-to-date as is necessary for our identified purposes.
The confidential records as well as other documented information belonging to clients and staff members are the property of NWCHCs, whose responsibility it is to take all reasonable precautions to secure the information against loss, fire, theft, defacement, tampering, access or copying by unauthorized persons.
Safekeeping of personal information may require the following:
- Physical measures, for example, locked filing cabinets, disk data stored off site and restricted access to offices.
- Organization measures, for example, security clearances and limiting access on a "need to know" basis.
- Technological measures, for example, the use of passwords and encryption; virus protection, firewalls, regular backups of electronic data stored off site.
- Stored in a safe and dry location, data backed up off site.
If a breach in the above safekeeping measures occurs, the client will be notified immediately. An incident report will be completed and a review of our safekeeping measures will be undertaken and improvements made as appropriate.
Questions and Concerns
NorWest Community Health Centres
525 Simpson Street,
Thunder Bay, ON P7C 3J6
Complaints will be taken in the written form on the "Complaint Form" accessible from our website or by request to the Privacy Officer. We will investigate all privacy complaints. Privacy Complaint Form
If we do not resolve your questions or complaint to your satisfaction, you may address your concerns to:
Privacy Officer, Information and Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400
T (416) 326-3333
1-800-387-0073 Toll Free
F (416) 325-9195
Feel Better, Live Longer, Be Happier