This policy addresses uses of personal information of clients, staff, and volunteers. Personal information is any factual or subjective information, recorded or not, about an identifiable individual. Employee personal information does not include the name, job title, work telephone number or work address, or anything that might appear on a business card.
Personal Health Information
Personal health information is defined in the Personal Health Information Protection Act (PHIPA) as identifying information relating to the physical or mental health of an individual, the provision of health care to an individual, the identification of the substitute decision-maker for the individual, and the payment or eligibility of an individual for health care or coverage for health care, including the individual’s health number. For the purpose of abbreviation, the terms “personal information” and “personal health information” will be interchangeable in this document.
Health Information Custodian
A health information custodian, as defined by PHIPA, refers to a person or organization that has custody or control of personal health information as a result of, or in connection with performing health care services. Examples include hospitals, pharmacies, community and mental health services, ambulances, long-term care homes, addiction treatment centres, etc. Custodians do NOT include housing services, prisons/detention centres, ODSP, OW, police, attorneys, food banks, shelters, CAS, etc.
The Privacy Officer
The CEO will appoint a designated privacy official. This Privacy Officer receives senior management support and has the authority to intervene on privacy issues relating to any of the operations of NorWest Community Health Centres (NWCHC). The name or title of this individual will be made available both internally and externally to ensure accessibility.
The Privacy Office is responsible for facilitating the organization’s compliance with all privacy-related legislation. They respond to client requests for access to or correction of a record of personal health information, and respond to inquiries from staff as well as the public about the Centre’s privacy policies and procedures. Finally, the Privacy Officer receives complaints from staff, clients, or the public about privacy and confidentiality-related matters.
The Privacy Officer is responsible for training and communicating to staff information about the organization’s privacy policies and practices, such as their duties under PHIPA and the role of the Privacy Officer.
Valid and informed implied or expressed consent is required for the collection, use, or disclosure of personal health information, except when required by legislation. Information disclosure will not be made a condition for supplying service, unless the information requested is required to provide the specific service.
Implied consent may be implied either by the words or the behaviour of the client or by the circumstances under which treatment is given. For example, where a client arranges an appointment with a health care provider, volunteers a history, and submits without objection to physical examination, consent for the examination is clearly implied. Sharing of information with others involved within the patient’s circle of care can occur with implied consent.
Valid expressed consent may be oral or in written form and should be documented in the client’s chart. The client’s expressed consent is required before personal information can be disclosed to a family member or friend, unless the client is a child and is not deemed a competent decision maker.
The client’s written expressed consent is required for providing personal information outside of the circle of care, except when directed by statute or law.
To be valid, implied or expressed consent must be:
- Voluntarily given, in the absence of any coercion or duress
- Given by a competent person or a substitute decision-maker who has the capacity and authority to consent on the client’s behalf
- Properly informed (why we are collecting information, how we may use or disclose it, and what an individual must to do withhold or withdraw their consent).
For more information on consent to medical treatment, refer to Consent to Medical Treatment policy.
For more information on substitute decision maker, refer to Substitute Decision Maker policy.
For more information on when consent is not required to release information to a third party, refer to Third Party Request to Medical Record.
Circle of Care
Circle of care describes those who provide health care or assist in providing health care to a particular client of NWCHC. Members of a particular client’s circle of care can provide health care to the client, confidently assuming they have consent to collect, use, and disclose personal health information relevant to the care and for the purpose of that care, unless they know the client has expressly withheld or withdrawn consent.
Health Care is defined as any observation, examination, assessment, care, service, or procedure done for a health-related purpose that;
- is carried out or provided to diagnose, treat, or maintain an individual’s physical or mental condition;
- is carried out or provided to prevent disease or injury or to promote health; or
- is carried out or provided as part of palliative care and includes,
- the compounding, dispensing or selling of a drug, a device, equipment, or any other items to an individual, or for the use of an individual, pursuant to a prescription, and
- is a community service described in subsection 2 (3) of the Home Care and Community Services Act, 1994 and provided by a service provider within the meaning of that Act.
Need to Know Principle
NWCHC will maintain a clear, barrier-free, and timely process for the exchange of information amongst client circles of care, while limiting the exchange to the minimum relevant to the situation and required to provide quality care.
As part of their role at the NWCHC, staff may have access to the personal health information of clients. Unless the staff is involved in the delivery of health care or in a function to support the delivery of health care (e.g. scanning in EMR), staff should not have access to the personal health information of clients. The act of accessing a client’s personal health information is considered access. This activity is tracked within the EMR at NWCHC and is subject to audits.
The provider-client relationship is built on the trust that information is for the purpose of the provision of health care and will be used for those involved in the client’s care on a need-to-know basis. When a staff external to the circle of care accesses a client’s personal health information, they are breaching this trust and may be subject to disciplinary action.
Staff who have family members who are patients of NWCHC should notify the Privacy Officer. Staff are encouraged not to handle personal and health information as part of their role and to refer such cases to another staff member where possible.
Lock Box Provision
Clients have the ability to withhold or withdraw their consent for the collection, use or before disclosing personal health information, including for the provision of health care. This occurs through the “lock box” provision where the client can request that:
- A particular item be “locked”
- Their entire record be “locked”
- Disclosure to a particular custodian (e.g. one social worker) not occur
- Disclosure to a class of custodian (e.g. social workers) not occur
For our purposes, the personal health information if not locked but masked and unauthorized access can be traced.
If a request for the “lock box” provision is made, it is recommended that a discussion occur with the client on how this might affect the health care provision. Once locked by withholding or withdrawing consent, the custodian cannot collect, use, or disclose the information unless the client changes their mind or the disclosure can be made without consent.
For more information on the lock box provision, refer to the Lock Box Policy.
Staff Authorized to Access Personal Information
Personally identifiable information should be restricted to:
- Staff providing service to the client, and their supervisor;
- Staff members providing assistance to staff providing service to the client;
- Staff assigned to tabulate and collate data;
- Appropriate administrative personnel; and,
- Volunteers and students who need access to parts of client records to complete their work or research.
Limiting the Collection, Use and Disclosure of Personal Information
We limit the collection, use, and disclosure of your personal information to what is necessary to provide you with the healthcare you requested. In order to do this, we collect, use, and disclose your personal information for the following purposes (our “Identified Purposes”):
- Establishing and maintaining communications with our clients;
- Verifying your personal information with government agencies, insurance reporting agencies
- Compiling statistics;
- Complying with the law or requests of law enforcement agencies or regulators;
- Identify the most appropriate services for our clients;
- Make certain they are eligible for these services;
- Share with other service providers (as they client allows us to) to organize their support;
- Maintain billing and accounting information related to the services they use;
When we collect personal information, we are doing so for all of the Identified Purposes simultaneously.
Client Access to their Personal Health Record
With some exceptions, the Personal Health Information Protection Act provides individuals with a right of access to records of their own personal health information. The right of access applies to a record dedicated primarily to the individual. If the record is not primarily about the individual, the right of access extends only to that portion of the record about the individual. However, a person does not have a right of access to personal health information in a record dedicated primarily to the personal health information of another person. A client who is not satisfied with a decision of the Centre with regard to the correction of a record is entitled to complain to the Information and Privacy Commissioner.
For more information on how clients can access their personal information, refer to Access to Client Record Procedure.
Correction to Personal Health Record
If a client believes a record of personal health information is not as accurate or complete as necessary for its purpose, the client may make a written request to the Centre to correct the record. The Centre has 30 days to respond to the request. A client who is not satisfied with a decision of the Centre with regard to the correction of a record is entitled to complain to the Information and Privacy Commissioner.
For more information on how clients can request corrections to their personal information, refer to Clients Access to their Medical Records.
Accuracy of Health Records
NWCHC will work to keep personal information as accurate, complete, and up-to-date as is necessary for our identified purposes.
The confidential records as well as other documented information belonging to clients and staff members are the property of NWCHC, whose responsibility it is to take all reasonable precautions to secure the information against loss, fire, theft, defacement, tampering, access, or copying by unauthorized persons.
Safekeeping of personal information may require the following:
- Physical measures, for example, locked filing cabinets, disk data stored off site, and restricted access to offices.
- Organization measures, for example, security clearances and limiting access on a need-to-know basis.
- Technological measures, for example, the use of passwords and encryption; virus protection, firewalls, regular backups of electronic data stored off site.
- Stored in a safe and dry location, data backed up off site.
If a breach in the above safekeeping measures occurs, the client will be notified immediately. An incident report will be completed and a review of our safekeeping measures will be undertaken and improvements made as appropriate.
Questions and Concerns
Complaints will be taken in the written form on the “Privacy Complaint Form” accessible by the button below or by request to the Privacy Officer. We will investigate all privacy complaints.
If we do not resolve your questions or complaint to your satisfaction, you may address your concerns to:
Privacy Officer, Information and Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400
T (416) 326-3333
1-800-387-0073 Toll Free
F (416) 325-9195