Client Information
Management System (CIMS). Client Data Set (CDS)
POLICIES AND PROCEDURES
Policy:
Client Information Management Systems, Client Data Set, and Kenora
Association for Community Living recognizes the importance of privacy and the
sensitivity of personal health information (“PHI”). We are committed to protecting any
information that we hold. This Privacy
Policy outlines how we manage Personal Health Information and safeguard
privacy.
Reference: Personal Health Information Protection Act
November 2004 (PHIPA)
Definitions:
Any reference to “your information: means your Personal Health
Information as defined by PHIPA. See
Appendix 1 for specific definitions.
PHIPA IS THE LAW
Effective November
1, 2004, Health Information Custodians in the Ontario health care system that collects
uses or discloses personal health information must comply with the Personal
Health Information Protection Act, 2004.
This agency is a Health Information Custodian and is responsible for
the personal health information we collect, use, maintain and disclose, as set
out in this Policy.
WHAT INFORMATION DO WE COLLECT FROM YOU?
Ø We will ask you to give us whatever
information about your health and your family’s health that we need to care for
you.
Ø We will collect information from you for
the following purposes, which are our “main activities”: caring for you, administration of this agency
and the health care system, teaching, limited research, statistics and
complying with legal and regulatory requirements.
Ø We will either directly tell you why we are
collecting your information or we will post a notice or give you information
that describes why we are collecting your information.
Ø We may collect information about you
indirectly (i.e. from other health care providers or from your family and
friends) if necessary to provide you with care, when you cannot provide the
information yourself or cannot consent to providing the information yourself.
HOW DO WE USE YOUR INFORMATION
Ø Your information is given to your caregivers
in the Client Information Management System agencies and /or Common Data Set to
be used to care for you.
Ø Our managers, employees, professional
staff, volunteers and students are trained and understand that your information
is private and can only be used or accessed to care for you or carry out our
main activities.
Ø People who have a contract to provide
services to this agency (such as fixing equipment, maintaining computers) may
have access to your information, and we take steps through our contracts to
make sure this information is kept private.
Ø Unless we have your consent to use your
information for research purposes, your information will only be used for
research if the strict process (ensuring both privacy and ethical conduct) in
PHIPA is followed.
Ø If we use your information for any purpose
other than our main activities, we will ask your permission.
WHEN WILL WE DISCLOSE YOUR INFORMATION
Ø Unless you tell us not to, we will disclose your information to
other health care providers in the “Circle of Care” who need to know this
information to provide you with care or help to provide you with care. The “Circle of Care” includes health care
professionals, other hospitals, pharmacies, laboratories, ambulance service,
nursing homes, Community Care Access Centre’s (CCAC's) and home service
providers who provide you with health care services.
Ø Unless you tell us not to, we may give your name and address to our
Foundation, which may contact you for fundraising purposes. You can ask not to be contacted for
fundraising at any time.
Ø Sometimes the law requires us to disclose
information about you. We will only
disclose your information when the law requires or permits us to do so.
GETTING YOUR CONSENT
Your consent to our collection, use or disclosure of your information
may be implied or express.
1.
In
certain circumstances we will always ask for your express (written)
consent:
· Where
we are disclosing your information to someone who is not a Health Information
Custodian (i.e., to your insurer, employer, WSIB, CAS, lawyer, etc); and
· Where
we are disclosing your information to someone who is a Health Information
Custodian but for purposes other than providing you with health care (e.g. a
school nurse)
2.
Where
we obtain your implied consent, you will have been provided with a
notice (either posted in a place where you are likely to see it or directly
given to you) and an opportunity to withhold your consent.
·
You
may withdraw or limit your consent at any time, unless doing so prevents us
from recording the information we require from you by law or under professional
standards. You can give an express
(written) instruction that specific information not be used or disclosed.
3.
We may
sometimes collect use or disclose your personal information without your
consent in limited instances that are expressly permitted by PHIPA. For example, some statutes require disclosure
of your information, such as the Coroners Act and the Vital
Statistics Act and Child and Family Services Act.
RETAINING
YOUR INFORMATION AND DISPOSING YOUR INFORMATION
We retain your information at this agency or in premises controlled by
this agency and the Client Information Management System in a secure manner and
keep it for as long as necessary to fulfill the purposes for which it was
collected, or as required by law.
This agency has a policy in place to address the retention and
destruction of records in the organization.
This policy sets out minimum and maximum retention periods and complies
with applicable laws governing retention of information.
Where you have requested access to a record with your information, we
will retain that record until your access request is exhausted.
ACCURACY OF YOUR INFORMATION
We take reasonable steps to ensure your information is as accurate,
complete and up-to-date as necessary on collection. We will not routinely update information in
our control unless routine updates are necessary to fulfill the purposes for
which the information was collected. We
take reasonable steps to ensure that any information that is used by this
agency on an ongoing basis, including any information that is routinely
disclosed to others under this Policy, is accurate, complete and
up-to-date. Where we know that
information is not accurate, complete or up-to-date, this fact will be
indicated at the time of use or disclosure.
SECURITY OF YOUR INFORMATION
Security safeguards protect your information, in the custody or control
of this agency and the Client Information Management Systems group. These security safeguards are in keeping with
industry standards and are designed to protect your information against loss or
theft as well as unauthorized access, disclosure, copying, use or
modification.
Among the steps we take to protect your information are:
·
premises
security, including locked filing cabinets where cabinets are located in
publicly accessible areas;
·
restricted
access to information stored electronically;
·
using
technological safeguards like security software and firewalls to prevent
hacking or unauthorized computer access; and
·
internal
password and security policies.
This agency’s agents are aware of the importance of keeping your
information confidential. As a condition
of employment or obtaining/maintaining privileges, all staff are required to
sign a Confidentiality Agreement, which is reviewed and renewed annually.
We will notify you at the first reasonable opportunity if your
information is lost, stolen, or subject to unauthorized access, disclosure,
copying, use or modification.
HOW TO ACCESS YOUR INFORMATION
You can request access to any records in our custody or control that
contain your information by writing to our Privacy Officer. The guidelines for processing these requests
are available on request. You will
receive at least a preliminary response from the Privacy Officer within 30
days, and a full response within 60 days.
Your right to access your information is not absolute. We may deny access when:
·
denial
of access is required or authorized by law (e.g., there is a court order
prohibiting access); or
·
where
the request is frivolous or vexatious or in bad faith.
If the Privacy Officer refuses you access to your records, there will
be a reason given, and you will also be notified of your right to complain to
the Information Privacy Commissioner of Ontario (IPC).
You are also entitled to challenge the accuracy or completeness of any
of your information in our custody or control.
Requests to challenge and/or change your information must be directed to
the Privacy Officer in writing. You will
receive at least a preliminary response from the Privacy Officer within 30
days, and a full response within 60 days.
We may charge you a reasonable fee (based on cost recovery) for copies
of your information. We will advise you
of any fee before we make copies.
CHALLENGING COMPLIANCE
You are entitled to challenge our compliance with the principles set
out in this Policy. Please direct any
challenge in writing to our Privacy Officer.
Anyone who submits a written complaint, challenge or inquiry will be
given a written copy of our procedures governing such complaints, challenges
and inquiries.
We will investigate all complaints received. If a complaint is found to have merit, we
will take appropriate measures to address the complaint, including amending our
policies and practices relating to management of your information.
COMPLIANCE WITH THIS POLICY
All of our agents (employees, managers,
volunteers, students, and professional staff members) are required to know and
comply with this Policy. Annual
confirmation of compliance is suggested.
Any breach of this Policy may result in significant disciplinary action,
including:
· for
agents and volunteers, suspension, demotion, and termination; and
· for
professional staff members, restriction or revocation of privileges, in whole
or in part.
Agents may only use your information as permitted by this agency and
within the same legal limitations imposed.
All agents must notify the organization at the first reasonable
opportunity if your information is lost, stolen or accessed without
authorization.
OUR PRIVACY OFFICER
Our privacy
officer is:
Lisa Thomassen.
501n Eighth Ave. South
Kenora Ontario
P9N 3Z9
807-467-5205
admin@kacl.ca
Appendix
1 -
Definitions
Agent
Anyone authorized
by this agency and the Client Information Management Systems group to collect,
use or disclosure of Personal Health Information on behalf of this agency and
not for the agent’s own purposes; (for example, employees; persons contracted
to provide services who have access to Personal Health Information (records
management, copying or shredding records); health professionals with
privileges; volunteers; managers; students
Circle of Care
Those Health Information Custodians
indicated under the definition of HIC with an asterisk (*HIC), for the purpose
of providing health care or assisting in providing health care within the
continuum of care
HIC (Health Information Custodian) includes:
Ø *health care practitioners
· Regulated
health professionals; registered drugless practitioner; social worker; person
whose primary function is to provide health care (acupuncturist, psychotherapy)
· NOT
aboriginal healers; aboriginal midwives; faith healer
Ø *service providers to CCAC
Ø *CCAC
Ø *public, private, or mental hospitals
Ø *psychiatric facilities under Mental
Health Act
Ø *independent health facilities
Ø *homes for aged, nursing homes
Ø *pharmacies
Ø *laboratories
Ø *ambulance
Ø *community health or mental health centres
whose primary purpose is providing health care
Ø evaluators under Health Care Consent Act
or assessors under Substitute Decisions Act (capacity)
Ø medical officer of health and board of
health under Health Protection and Promotion Act
Ø Minister and Ministry
Ø others as provided under the regulations
IPC - Information and Privacy Commissioner of Ontario
PHI (Personal Health Information)
Information, oral or recorded, about an
individual that does or could identify that individual and that:
Ø relates to physical or mental health
Ø includes family history as it is reflected
in record of PHI
Ø identifies the health care provider
Ø relates to payments or eligibility for
health care
Ø relates to donation of body part or bodily
substance
Ø includes the health number (replaces Health
Cards and Numbers Control Act)
Ø identifies SDM
Ø includes any non-health info that is in
record that is identifying
PHIPA - Personal Health Information Protection
Act, 2004 (Ontario)
Privacy Officer - as identified in this policy.
SDM - substitute decision maker
Title: YOUR PERSONAL HEALTH
INFORMATION “STATEMENT”
Policy: Unless it
is not reasonable in the circumstances, it is reasonable to believe that an
individual knows the purpose of the collection, use or disclosure of personal
health information by a health information custodian if the custodian posts or
makes readily available a notice describing the purposes where it is likely to
come to the individual’s attention or provides the individual with such a
notice.
Reference: PHIPA 18(6)
YOUR PERSONAL HEALTH INFORMATION
This
agency in accordance with the Personal Health Information Protection Act of
Ontario Nov. 2004, recognizes the importance of the privacy of your personal
health information, and is committed to respecting, safeguarding and protecting
your personal health information.
COLLECTION OF YOUR PERSONAL HEALTH
INFORMATION
We collect
personal health information about you directly from you or from the person
acting on your behalf. The personal
health information that we collect may include health history and records of
your health care. When we have your
consent, or the law permits, we collect personal health information about you
from other sources.
Before
collecting personal health information from you, we will explain to you the
purpose of collecting the information.
We will only collect, use and disclose your personal health information
with your consent, except where otherwise permitted or required by law.
USE AND
DISCLOSURES OF PERSONAL HEALTH INFORMATION:
This agency
uses and discloses your personal health information to:
Ø treat and care for you in the
community,
Ø plan, administer and manage our
internal operations,
Ø conduct risk management activities,
Ø conduct quality improvement
activities,
Ø teach,
Ø conduct research,
Ø compile statistics,
Ø comply with legal and regulatory
requirements, and
Ø fulfill other purposes permitted or
required by law.
SECURITY:
Your personal
health information is kept confidential and secure and used only by those
directly involved in your care. We take steps to ensure that everyone who
performs services for us protects your privacy and uses your personal health
information only for the purposes you have consented to.
This agency
has policies and procedure that outline:
Ø security practices to protect your
personal health information from theft, loss and unauthorized access, copying,
modification, use, disclosure and disposal.
Ø conducting audits and completing
investigations to monitor and manage our privacy compliance.
YOUR ACCESS TO INFORMATION
You have a
right to access and request corrections to your personal health information by
contacting the Privacy Officer at 807-467-5205.
You may withdraw your
consent for some of the above collections, uses and disclosures, subject to
legal exceptions/restrictions and with reasonable notice, by contacting your
treatment team.
HOW TO CONTACT US
Our privacy contact person is Lisa
Thomassen. Lisa
Thomassen.
501 Eighth Ave. South
Kenora Ontario
P9N 3Z9
807-467-5205
admin@kacl.ca
.
Title: INFORMATION
PRACTICES
Policy:
A health information custodian
shall make available to the public a written statement that: provides a description of the custodian’s
information practices, describes how to contact the Privacy Officer, how to
access, request correct of personal health information and how to make a
complaint to the custodian and to the Commissioner.
Reference: PHIPA 16 (1)
(a) (b) (c) (d)
This agency and the Client Information Management System and
Common Data Set is committed to maintain the confidentially of your personal
health information (PHI). We respect
your right to privacy while assisting your caregivers in providing your care.
SECURITY
Among the steps we take to protect your
information are:
·
Secured
filing areas or locked filing cabinets and restricted key access to Clinical
Information Services;
·
restricted
access to information stored electronically;
·
using
technological safeguards like security software and firewalls to prevent
hacking or unauthorized computer access; and
·
internal
password and security policies
ACCESS TO PERSONAL HEALTH INFORMATION
You have a right to access your personal
health information.
·
Either
call this agency and make a verbal request or submit your request in
writing. Office staff will be assisting
you as required in completion of your request.
·
You
will receive a response within 30 days (or within an additional 30 days with
explanation if required)
·
Your right to access may be denied when
Ø denial of access is required or authorized
by law (e.g., there is a court order prohibiting access); or
Ø the request is frivolous or vexatious (e.g.: harassing, irritating
or troublesome) or in bad faith.
CHALLENGING
DECISIONS RE: ACCESS
Ø You are entitled to challenge any decision
with respect to access to your personal health information. Please direct any challenge in writing to our
Privacy Officer.
Ø Anyone who submits a written complaint,
challenge or inquiry will be given a written copy of our procedures governing
such complaints, challenges and inquiries.
Ø
We
will investigate all challenges/complaints received/inquiries. If a complaint is found to have merit, we
will take appropriate measures to address the complaint, including, amending
our policies and practices relating to management of your information.
FEE SCHEDULE:
·
The
first 10 pages will be copied at no cost to you.
·
Additional
pages will be charged at a rate of $0.25 per page
REQUESTS FOR CORRECTION
·After review of your
information, you will need to document IN WRITING what corrections may be
necessary
·Office staff will
forward to the Privacy Officer for discussion
·You will receive a
response within 30 days (or within an additional 30 days if required).
·If you are refused a
request for correction – see challenge process below
·We will not correct
information if:
Ø The record was not
originally created by this agency, meaning that we would not have sufficient
knowledge, expertise and authority to correct it
Ø The information being requested is a
professional opinion or observation (e.g. a diagnosis) that has been made in
good faith.
CHALLENGING DECISIONS: CORRECTIONS
Ø You are entitled to challenge any decision
with respect to corrections to your personal health information. Please direct any challenge in writing to our
Privacy Officer.
Ø Anyone who submits a written complaint,
challenge or inquiry will be given a written copy of our procedures governing
such complaints, challenges and inquiries.
Ø We will investigate
all challenges/complaints/inquiries received.
If a complaint is found to have merit, we will take appropriate measures
to address the complaint, including, amending our policies and practices
relating to management of your information.
WITHDRAWAL OF
CONSENT
·
You
may withdraw your consent to disclose your documents either verbally or in
writing.
·
This
request is not retroactive, meaning that where a disclosure of personal health
information has been made on the basis of a consent, the withdrawal of the
consent does not require us to retrieve the information that has already been
disclosed – it only means that we will stop disclosing information as soon as
we receive notice of the withdrawal.
Privacy Officer:
Lisa Thomassen
501 Eighth Ave. South
Telephone 807-467-5205
Fax 807-467-5247
Email admin@kacl.ca
Information and Privacy Commissioner of Ontario contact
information:
Ann Cavoukian
80
Bloor Street - Suite
1700
Toronto, ON M5S 2V1
Telephone:
(416) 326-3333
Fax:
(416) 325-9195
Title: ACCESS TO PERSONAL HEALTH INFORMATION BY
CLIENT
Policy: Every individual
has a right to access his/her record of Personal Health Information, subject to
limited exceptions
Reference: Personal
Health Information Protection Act - s.52
Procedure:
1.
Individual
would request information either verbally or in writing.
2.
Office
Staff will complete “consent for disclosure and/or access to Personal Health
Information” form (form 1000B)
Ø Specify information requested
Ø Clarify if request is for viewing
and/or copying
Ø Ask for client contact information,
i.e. telephone number
Ø Inform client of 30-day maximum
processing time (+30 days if required with explanation). Expedited request will be forwarded to the
Manager for consideration.
Ø Advise individual of copying fees for
information requested
3.
Forward
request to the clinician/manager to approve.
4.
When
approval given, contact individual to arrange for:
Ø Appointment to view record and/or
Ø Arrangement to pick up the documents
and verify identity of individual. If
other than identified individual picking up information, need prior permission
of that individual, who will be picking up information. Verify identity of person.
Ø Arrangement on mailing the documents
5.
If
request denied see COMPLAINT POLICY.
6.
File
consent on the record.
Title: DISCLOSURE OF PERSONAL HEALTH INFORMATION
Policy:
Disclosure of
Personal Health Information to either a Health Information Custodian or
Non-Health Information Custodian must comply with the provisions of the
Personal Health Information Protection Act (PHIPA)
Reference: PHIPA s.11,s.38
(1) (2) (3) (4)
Procedure:
A. Disclosure To Non-Health Information
Custodian:
A
non health custodian is defined under the legislation as those organizations or
individuals whose primary function is NOT the provision of providing health
care, i.e. insurance company, lawyer, Children’s Aid Society, WSIB, Tribunals,
Canada Pension Plan, Probation/Parole, Unions, Education Centres, etc.
In
order to disclose information to a Non-HIC
- Ensure
valid original consent form is dated, signed and witnessed.
- Access
record of personal health information (clinical record) and forward to
manager for approval to disclose.
- Enter
the request in the Correspondence Log.
- Monitor
closely and if request cannot be completed within 30 days, Extension
Letter (see Form 207) must be completed by Correspondence Desk (office secretary) (requesting up to an
additional 30 days to process request.)
- When
permission received, copy reports required, indicating on each report the
date and to whom the information is being sent.
- Attach cover letter for Release of
Information (Form 205) and mark appropriate boxes.
- Indicate
on the consent form the date the request was completed and complete
Correspondence Log.
- File
consent on record.
B. Disclosure To Health Information Custodian:
(see attached list of HICs under PHIPA)
Where “Your Personal Health Information
Statement” has been publicly placed for all clients to see, and/or
Where “Your Personal Health
Information Statement” has been made available to all clients to read
It can be assumed that there is implied consent under PHIPA to
disclose personal history information to a Health Information Custodian who has
requested the information, without written consent, UNLESS the patient/client
has opted out of that provision
1.
When
verbal request is received, complete Consent for Disclosure Form 1000-B (with
appropriate information and indicate at the bottom that request has been
completed verbally. Sign with your
signature and date (no witness is required).
2.
Where
request is received in writing, ensure that the consent form is valid, i.e.
client identified clearly, dated, witnessed, and signed. (Note – you can accept
any consent form as long as the criteria are met).
3.
Access
record of Personal Health Information (clinical record).
4.
Correspondence
Desk (secretary) will ensure that the person/organization requesting the
information is a Health Information Custodian.
If unsure, the Secretary will either request written consent or contact
the patient/client direct for verbal consent
5.
Secretary
will refer all requests to Manager for direction.
6.
Enter
the request in the Correspondence Log
7.
Monitor
closely and if request cannot be completed within 30 days, Form 205 (extension
letter) must be completed by Correspondence Clerk (Privacy Officer) requesting
up to an additional 30 days to process request.
8.
Copy
reports required, indicating on each report the date and to whom the
information is being sent.
9.
Indicate
on the consent form the date the request was completed and complete the
Correspondence Log.
10. File consent on the record.
HEALTH
INFORMATION CUSTODIANS:
- Health Care Practitioner (regulated professional,
drugless practitioner, social worker, etc.) whose primary function is to
provide health care.
- Service provider to CCAC
- CCAC
- Public Hospital
- Mental Hospital
- Psychiatric Facility under MHA
- Independent Health Facility
- Home for Aged, Nursing Home
- Pharmacy, Laboratory
- Ambulance
- Community Health or Mental Health Centre whose
primary purpose is health care
• ** Evaluator under HCCA or assessor
under SDA
• **Medical Officer of Health
• **Minister and Ministry – under other
regulations
** - Note – these are NOT considered
part of circle of care
#5 – DISCLOSURE OF PHI JANUARY 2006
CORRESPONDENCE
FEES
Policy: When disclosing personal health information,
a Health Information Custodian shall not charge fees to a person that exceed
the prescribed amount or the amount of reasonable cost recovery, if no amount
is prescribed.
Reference: PHIPA 35(2)
Patient/Guardian
Ø Chart Review Only No Charge
Ø Review and copies
of the record First 10 pages
free-.25/pg after
Ø Request for dates
of attendance $15.00
Criminal
Injuries Compensation Board
Ø They offer payment $100.00
Ontario Disability Support Program
Ø They have their own fee schedule $25.00 up to 5 pages and then
$1.08 per page thereafter
Others
Ø Insurance Company
Ø Lawyer
Ø Legal Clinics
Ø Health and Welfare Canada
$150.00 (plus .25 per page)
Ø Advocacy Office
Ø Divorce/Annulment
Tribunal
Ø Applications for
Life Insurance/Canada Pension Plan
Ø Add to list as
groups are identified
College
of Physicians and Surgeons of Ontario
Ø
They have their own fee schedule
As per their schedule
AGENCIES
NOT BILLED FOR REQUESTS FOR INFORMATION
Ø Children’s Aid
Society
Ø Colleges/Universities
Ø Elementary/Secondary
Schools
Ø Ministry of Public
Safety and Security (for health services)
Ø Ministry of
Transportation
Ø Add to list as
agencies are identified
SECURITY OF: HARD COPY RECORD OF PHI
SECURITY OF: ELECTRONIC RECORD OF PHI
Policy: A
health Information Custodian shall take steps to ensure that personal health
information record is protected against theft, loss and unauthorized use or
disclosure.
Reference: PHIPA 12 (1)
Procedure
for Security of Hard Copies of Client Information
It is the
intent of KACL to secure all client information in accordance with the Ontario
Personal Health Information Act.
- All hard copies of Private
Health Information will be secured by a locked cabinet in each of the KACL
sites. Each cabinet will only be available by key access.
- All computer files relating to
clients will have private passwords for each staff.
- Confidentiality agreements are
signed by each staff at the time of hiring.
4. These
standards for storage and confidentiality will be communicated to each staff.
ACCURACY
OF PERSONAL HEALTH INFORMATION
Policy: A
Health Information Custodian that uses Personal Health Information about an
individual shall take reasonable steps to ensure that the information is
accurate, correct and up-to-date as is necessary for the purpose for which it
uses the information.
A
Health Information Custodian that discloses Personal Health Information shall
take reasonable steps that the information is as accurate, complete and
up-to-date as is necessary for the purpose of the disclosure, or clearly set
out for the person receiving the information any limitations on accuracy,
completeness or up-to date character of the information.
Reference: PHIPA s.11
Procedure:
•
Where personal health information is disclosed from a
record, the Health Information Custodian must inform the recipient if the
information is not complete, accurate or up-to-date (Form 205)
•
Where any other personal health information is
questionable, the person questioning the accuracy is responsible to clarify the
information with the author and where the information is not accurate, complete
and up-to-date; the author must ensure that it is corrected.
CONSENT – IMPLIED/EXPRESS
Policy:
Where consent of an individual for the collection, use
or disclosure of Personal Health Information is required, the consent
•
Must be a consent of the individual (substitute
decision maker)
•
Must be knowledgeable
•
Must relate to the information and
•
Must not be obtained through deception or coercion
•
Consent may be express or implied.
• Implied or express
consent may be withdrawn at any time but is not retroactive.
Reference: PHIPA
S. 18(1) (2) (3) (4) (5) (6)
Procedure:
1.
Consent is implied if “Your Personal Health
Information” statement has been
·
Posted in all client areas, and/or
·
Individual has been given the information on
registration or as soon thereafter as is possible
2.
Consent must be express (written) if
·
Health Information Custodian makes disclosure to a
person who is not a Health Information Custodian, or
·
Health Information Custodian makes disclosure to
another Health Information Custodian and the disclosure is not for the purpose
of providing health care or assisting in providing health care
3.
Where consent (implied or express) is withdrawn, the
Health Information Custodian shall clearly document this withdrawal on the
record of Personal Health Information.
COMPLAINT PROCESS
Policy: An individual has the right to make a
complaint concerning the information practices of this agency. Information practices may include but not
limited to: access, collection, use,
disclosure, and loss of the record of personal health information, individual
correction requests and security issues.
Reference: PHIPA s. 56
Procedure:
1.All complaints
related to information practices will be forwarded to the Privacy Officer for
discussion and direction.
2.Privacy Officer will be responsible to “log”
all complaints.
3.Privacy Officer will determine if the
complaint requires handling by the Privacy Officer or can be managed at the
agency level by the clinician or manager.
4.Manager will be required to provide a report
on the resolution of the complaint to the Privacy Officer.
5.If complaint requires further intervention,
the Privacy Officer will:
Ø investigate the
complaint and will give the individual in writing the outcome of the
investigation.
Ø ensure that
individual is aware of their right to complain to the IPC.
Ø be responsible to enter any action taken into
the “log.”
Ø Privacy Officer
will determine if there is a possibility of “legal action” and forward concerns.
Information Privacy
Commissioner of Ontario
Suite 1700, 80 Bloor Street
Toronto, Ontario M5S 2V1
Fax:
416-325-9195
Tel:
416-326-3333
Toll Free:
1-800-387-0073
CORRECTION OF PERSONAL
HEALTH INFORMATION
Policy: Where a health information custodian has
granted an individual access to a record of his/her personal health information
and the individual believes that the record is inaccurate or incomplete, the
individual may request in writing that the custodian correct the record.
Reference: PHIPA – S.55
Procedure:
1.Office
staff assists individual to complete “Request for Correction” (Form 201) of his
record of personal health information.
2.Inform
individual of 30-day processing time (+30 days if required with explanation).
3.Manager
reviews request for correction and forwards to author.
IF CORRECTION REQUEST
PERMITTED:
4.If request for corrections is permitted, the
author will correct either by:
Ø Striking out the
incorrect information in a manner that does not obliterate the record, or
Ø If above not
possible, labelling the information as incorrect, severing the incorrect
information from the record, storing it separately and maintaining a link in
the record that enables a person to trace the incorrect information, or
Ø If above not possible,
record the correct information in the record, ensuring there is a system in
place to inform a person who will access the record, that the information in
the record is incorrect and what the correct information is.
5.Manager
will notify the individual that actions were taken to correct the record (via
Request for Correction Form - Form 201)
6.Form
201 filed on the record, copy mailed to individual.
IF CORRECTION REQUEST DENIED:
1.The author will be required to give reasons
for denial of correction request (See Form 202 (Notice of Refusal for
Correction)
2.Manager
will inform Privacy Officer of Refusal and forward copies of Form201 and Form
202)
3.If
Privacy Officer agrees to the refusal, Privacy Officer will instruct Manager to
forward copies of Form 201, 202, 203 (statement of disagreement) 204 (Complaint
Process) to the requestor. Copy of all
forms filed on the chart.
4.Privacy
Officer will log the refusal.
ACCESS TO PERSONAL HEALTH INFORMATION – NEED TO
KNOW
Policy: Except as permitted or required by law, an
agent Staff of a health information
custodian shall NOT collect, use, disclose, retain or dispose of personal
health information unless the custodian permits the agent to do so.
Reference: PHIPA
17 (2)
PHIPA 70 (a)
(b) (c) (d)
Procedure:
v Office
staff/managers are required to question an agent’s request to access a personal
health information record (clinical record), where they are of the opinion that
o The agent is not
involved in providing direct care to the client/patient
v Where an agent does
access personal health information where there is not a need to know, staff are
required by law to report this to the Privacy Officer.
v
An agent, acting in good faith and on the basis of
reasonable belief that someone has contravened or is about to contravene this
provision of the ACT, shall have immunity from dismissal, suspension, demotion,
discipline, or harassment.
NOTIFICATION OF STOLEN, LOST OR ACCESS BY
UNAUTHORIZED PERSON
Policy: Sstaff
of a health information custodian shall notify the custodian at the first
reasonable opportunity if personal health information is stolen, lost or
accessed by unauthorized persons.
Reference: PHIPA 17 (3)
Procedure:
v Staff to notify
Privacy Officer, in writing, of stolen, lost or unauthorized access of personal
health information.
v Staff to identify
him (her) self and detail particulars of above
v Staff must be
prepared to meet with Privacy Officer for formal investigative process
COLLECTION,
USE & DISCLOSURE OF PHI
Policy:
v a health information
custodian shall not collect, use or disclose personal health information about
an individual unless
o
it has the individual’s consent
o
the collection, use or disclosure is permitted or
required by this Act (implied consent)
Reference: PHIPA 29
Procedure:
o
“Your Personal Health Information” statement must be
posted for clients to see
o
Staff will ensure that clients are aware of
collection, use, disclosure procedures on first interview
o
Where client is not able to understand the concept of
collection, use and disclosure, staff are able to continue to collect, use and
disclosure until such time that the client is able to view the “statement”
and/or staff are able to obtain consent.
RETENTION,
MICROFILMING, DESTRUCTION OF PHI
Policy:
(a).A hospital may photograph medical records and
notes, charts and other materials relating to patient care for the purpose of
retaining the contents thereof in lieu of the original documents where the
photographing of the documents is carried out in accordance with procedures
established by the board after considering the recommendations of the medical
advisory committee.
(b).A Health
Information Custodian shall ensure that the records of personal health
information that it has in its custody or under its control are retained,
transferred and disposed of in a secure manner and in accordance with the
prescribed requirements, if any. As well
where the record is subject to a request for access, the Health Information
Custodian shall retain the information as long as is necessary to allow the
individual to exhaust any recourse under this Act (PHIPA) that he/she may have
with respect to the request.
Reference: (a) Regulation 965 Public Hospitals Act and
(b) PHIPA
13 (1) (2)
20 (2) the following records
or photographs thereof with respect to patients and outpatients shall be
retained by the hospital keeping the records and photographs in accordance with
subsection 20 (3) of Regulation 965
1.Medical Records
2.Notes,
charts and other material relating to patient care
3. Slides made for microscopic examination from
a patient or an outpatient on which a report has been made, except for blood
smears that are normal in the opinion of the person making the report on the
slide.
20 (3) Records referred
to in subsection (2) or photographs thereof shall be retained,
1.In the case of a patient who is eighteen (18)
years of age or older, for at least ten (10) years after the date of discharge
or death of the patient to whom the record or photograph relates;
2.In the case of an out-patient who is eighteen (18)
years of age or older, for at least ten (10) years after the date of the last
visit or death of the out-patient to whom the record or photograph relates;
3.In the case of a patient who is under eighteen (18)
years of age, for at least ten (10) years after the eighteenth (18) anniversary
of the birth of the patient to whom the record or photograph relates; and
4.In the case of an outpatient who is under
eighteen (18) years of age, for at least ten (10) years after the eighteenth
(18) anniversary of the birth or the outpatient to whom the record or
photograph relates.
Procedure:
1.Records meeting the requirement of #1 and #2
above may be purged of unnecessary documentation before being filmed.
2.Records meeting the requirement of #3 and #4 above,
if being filmed prior to the child’s 28th birthday, must be filmed in its
entirety.
3.Records of patients who have been deceased
for 10 years or more may be purged of unnecessary documentation before being
filmed.
4.Records of patients who have been deceased
for less than 10 years must be filmed in its entirety.
5.Any records where it is known to involve a
legal issue may not be purged or filmed.
6.Any record that has received a request to
access may not be purged or filmed until the request has been satisfied.
Purging/Chart Preparation:
1.Determine what block of records will be
filmed
2.With each record determine last date of
contact; if over 10 years and over 18 years of age at last contact, purge any
non-clinical data, i.e. appointment letters.
3.If under 10 years and/or under 18 years of
age, do not purge any documents
4.Remove acco fastener
5.Remove duplicated copies of reports
6.Remove staples, paper clips and tape
7.Number each page in the top right hand corner.
8.Ensure chart number recorded on each page
9.Clip pages to chart cover
10.Make a guide sheet for front of chart –
chart number and patient number
11.Write chart number and patient number on an
index sheet
12.File chart in box in preparation for filming
Destroying of Hardcopy Data:
1.When film and records are returned, check a
portion of the film against the hard copy data.
2.Ensure that all pages have been filmed.
3.Hard copy documents must be destroyed, either
by fire or shredding.
4.A log must be kept of those records
destroyed, the date and method of destruction.
Definitions (if applicable): A patient means
a person received and lodged in a hospital (or service of a hospital) for the
purpose of treatment. An outpatient
means a person who is received in a hospital (or service of a hospital) for
examination or treatment or both, but who is not admitted as a patient.
Privacy Officer must approve
microfilming/destruction plan
FORMS
Policy: A
consent form and other forms are required in order to fulfill particular
aspects of the Personal Health Information Protection Act
Reference: PHIPA November 2004
Procedure:
·
The forms required to meet the requirements of PHIPA
are:
Form 201 -Request for Correction of Personal
Health Information
Form 202 -Notice of Refusal to Make Requested
change to
Personal Health
Information
Form 203 -Statement of Disagreement with
Personal Health
Information
Form 204 -Complaint Form
Form 205 -Cover Letter – Releasing personal
health information
Form 206 -Cover Letter – Requesting personal
health information
Form 207 -30 Day Request for Extension to
release Personal
Health Information
Form
1000A -Consent to the Disclosure of
Personal Health
Information
Form
1000B -Request to Access Personal
Health Information
Request for Correction
Of Personal Health Information
I,
_____________________________________________
Name
and Date of Birth
of _____________________________________________
Address
hereby request the following correction to my
personal health information record:
q I also request that notice of the corrected information
is given to anyone who received this information in the past.
Date: _______________________ Signature:
_________________________
Action
Taken By Agency
Correction Made By:
q Striking out incorrect information
q Labeling information as incorrect and removing it from
the record and storing it separately (but can be traced in the event that this
Agency is ever questioned about what information was removed from the record)
q Flagging information as incorrect and directing readers
of the record to the correct information
q Correction Not Made – see attached “Notice of Refusal to Correct Personal Health
Information Record” Form 202
Please note:
You are entitled to make a complaint to the Information Privacy Office
of Ontario with respect to any dealings that you had with this Agency regarding
your request for correction:
Information Privacy Office of Ontario Telephone: (416) 326-3333
Suite 1700 Toll Free:
1-800-387-0073
80 Bloor Street Fax: (416) 325-9195
Toronto, ON M5S 2V1
REQUEST FOR CORRECTION OF PHI FORM 201
JANUARY 200
Notice of Refusal to
Make Requested Correction
to Personal Health Information
Date:
________________TO:_______________________________________
Further to your “Request for Correction to
Personal Health Information” dated:_____
in which the following correction was
requested:______________________
____________________________________________________________
____________________________________________________________
please be advised that we are not able to
make the correction because:
q There was not sufficient evidence provided to
demonstrate that the information was incomplete or inaccurate. Please provide the following information and
your request will be reconsidered:_________________________________________
________________________________________________________________
q Not enough information was provided to enable us to
correct the record.
Please provide the following information and
your request will be
reconsidered:__________________________________________________
_____________________________________________________________
q The correction request relates to a document or
documents not originally created by this agency, therefore we do not have
sufficient knowledge, expertise and authority to correct it.
q The correction request relates to a professional
opinion or observation.
You are entitled to make a “Statement of
Disagreement” that outlines the
information that you feel is incorrect. We will attach this “Statement” to your
record, and we will provide it whenever we
disclose information to which your
“Statement” pertains. If you indicate it on the “Statement of
Disagreement”, we
will also make all reasonable attempts to
provide your “Statement” to anyone to
whom we have disclosed this information to in
the past.
Date: ______________ Signature:
__________________________________
Please note:
You are entitled to make a complaint to the Information Privacy
Office of Ontario with respect to any dealings that
you had with this agency or
to the Privacy Officer for this agency (See
Complaint Form 204).
Information Privacy Office of Ontario Telephone: (416) 326-3333
Suite 1700 Toll Free:
1-800-387-0073
80 Bloor Street Fax: (416) 325-9195
Toronto, ON M5S 2V1
NOTICE OF REFUSAL FOR CORRECTION FORM 202
JANUARY 2006
Statement of Disagreement
with Personal Health Information
I,
_____________________________________________________________
Name
and Date of Birth
of,_____________________________________________________________
Address
hereby state that I disagree with information
in my personal health information
record and request that this “Statement of
Disagreement” be attached to my
record with respect to a correction or
corrections requested but not made.
q I also request that this “Statement of Disagreement” be
given out whenever you disclose this information from my personal health
information record to which this statement relates.
q I also request that notice of the corrected information
is given to anyone to whom this information has been disclosed to in the past.
Date: _____________ Signature: ____________________________
Please note:
You are entitled to make a complaint to the Information Privacy Office
of Ontario with respect to any dealings that you had with the Hospital with
respect to your request for correction:
Information Privacy Office of Ontario Telephone: (416) 326-3333
80
Bloor Street
- Suite 1700 Toll Free: 1-800-387-0073
Toronto, ON M5S 2V1 Fax: (416)
325-9195
Statement of Disagreement with PHI Form 203
January 2006
Complaint Form
q Access to Personal Health Information
q Disclosure of Personal Health Information
q Correction of Personal Health Information
q Other Management of Personal Health Information
I,_____________________________________________________
Name
and Date of Birth
of
____________________________________________________
Address
Wish to formally complain to the Privacy
Officer of (name of agency ) in
regard to the above.
My reasons for the complaint are as follows:
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
I understand that I will receive a response
from the Privacy Officer
within 30 days. I also understand that I can forward my
complaint at
any time directly to:
The Information Privacy Commissioner of Ontario Telephone: (416) 326-3333
Suite 1700,
80 Bloor Street Toll
Free: 1-800-387-0073
Toronto, On M5S 2V1 Fax: (416) 325-9195
Complaint Form 204 January 2006
Request to Release
Personal Health Information
Date: _____________________________
Dear
RE:
DOB:
Thank you for your request on the above named
dated: ________________
q We will process your request upon receipt of a
completed consent form (see attached)
q This information is being released to you under the
Personal Health Information Protection Act, November 1, 2004.
q AS A NON HEALTH INFORMTION CUSTODIAN please be advised
that you cannot use or disclose this information for any purpose other than the
purpose for which we have disclosed the information under the Act, or for the
purposes of carrying out a statutory or legal duty. S49(1)
q No records could be located with the information
provided. Please forward any additional information you may have to aid us in
our search.
q Our records indicate that this information was
forwarded to you on __________.
q Our fee of _______for file searching and photocopying
is attached.
q At this time, our records are incomplete. These will be forwarded at a later date.
q This information may not be complete, accurate or
up-to-date at this time.
q Other
_________________________________________________________
Yours sincerely,
Manager
Agency
Request for Release of PHI Form
205
Request to Access
Personal Health Information
Date: _____________________
___________________________
___________________________
___________________________
___________________________
Dear
_______________________
RE: Name: ______________________________
DOB: ______________________________
q As per the Personal Health Information Protection Act,
November 2004 regarding implied consent,
we would like to request information on the above named as indicated below …is entitled to assume that it has the
individual’s implied consent to collect, use or disclose the information for the purposes of
providing health care or assisting in providing health care to the individual, unless the custodian that receives the information is aware that the individual has expressly withheld or
withdrawn the consent. s.20(2)
q Please see the
attached consent form with which we would like to request the information as
indicated below.
q _____________________________
q _____________________________
q _____________________________
q _____________________________
q _____________________________
q _____________________________
q Other ____________________________________________.
Yours truly,
Request to Access Personal Health Information
Form 206 January 2006
30 DAY REQUEST FOR EXTENSION
TO RELEASE PERSONAL HEALTH INFORMATION
Date:
Dear _____________________
RE:
DOB:
An extension of up to 30 days is required to
address your request to access the
personal health information record of the
above named. While every effort is
made to retrieve the information requested,
this extension is required for the
following reasons:
_____________________________________________________________
If you have any concerns or questions, please
contact ___________________.
You may file a complaint with the Privacy
Officer of this agency or with the
Information and Privacy Commissioner of Ontario.
This agency’s Privacy Officer Ann Cavoukian
Agency 80
Bloor Street, Suite 1700
Address Toronto, On M5S 2V1
Telephone: 416-326-3333
Fax: Toll
Free – 1-800-387-0073
Fax
– 416-325-9195
Yours truly
30-Day Request for Extension Form 207
Consent to the DISCLOSURE
of Personal Health Information
I,
____________________________________________________________
(print
full name of person or substitute decision maker)
of____________________________________________________________
(address)
hereby authorize
_______________________________________________
(print
name of person/facility releasing information)
to disclose personal health information of
______________________________________________________________
(name of client) (date of birth)
to:____________________________________________________________
(name
of requesting person/facility)
of_____________________________________________________________
(address
of requesting person/facility)
Specify information to be released: verbal
copies from record
Other/Special
Instructions_______________________________________________
___________________________________________________________
This consent is valid for 60 days
unless otherwise specified: ___________________
____________________________ ____________________________
(signature of clientt/substitute decision maker) (Date)
____________________________ _____________________________
(signature of witness)
(Date)
If consent obtained verbally, specify
details_________________________________
(ie: time, method, etc.)
______________________________________________________________________
YOU MAY WITHDRAW YOUR CONSENT VERBALLY OR IN WRITING AT ANY TIME
Consent to Disclosure of PHI Form 1000A
January 2006
Request to ACCESS
Personal Health Information
I,_____________________________________________________________
(print
full name of person or substitute decision maker)
of____________________________________________________________
(address)
hereby request access to the personal
health information compiled in this
facility regarding
myself other:
________________________________________
(name of client/date of birth/your relationship to
client)
Specify type of access: verbal
copies from record
Other/Special Instructions (ie: specify information to be copied or date viewed)
________________________________________________________________
________________________________________________________________
________________________________ ____________________________
(signature of client/substitute decision maker) (Date)
________________________________ ___________________________
(signature of witness) (Date)
If consent obtained verbally, specify
details
______________________________________
(ie: time, method, etc.)
____________________________________________________________________________
An administrative fee will be applied to
cover photocopying and related costs.
This agency has 30 days to respond to your
initial request for access. In some circumstances
we require an additional 30-day extension.
You will be notified in written should this be
necessary.
Request to Access PHI Form 1000B January 2006
SEARCH WARRANT
Policy: A health information custodian may disclose
personal
health
information about an individual for the purposes of
complying with
a summons, order or similar requirement issued in
a proceeding
by a person having jurisdiction to compel the
production of
information.
Reference: PHIPA 41 (1) ((d) (i) (ii)
Procedure:
1.Search
Warrants are served by Police Officers.
Ask for identification and record.
2.Most
police services will call ahead and inform you of the search warrant in order
to give you time to access the information required
3.
Access record of personal health information.
4.Inform
manager.
5.Manager
should review record to ascertain completeness and accuracy
6.Manager
should direct office staff to number each page and to make a complete photocopy
of the entire record.
7.Ask
police officer to accept copy of record instead of original. Officer may or may not accept copy. Original must be given if requested.
8.File
copy of search warrant along with officer identification on the record
Search
Warrant January 2006
SUBPOENA
Policy: A health information
custodian may disclose personal
health information about an individual for the purpose of
complying with a summons, order or similar requirement issued in
a proceeding by a person having jurisdiction to compel the
production of information.
Reference: PHIPA 41 (1) (d) (i) (ii)
Procedure:
Receiving Subpoena:
1.Subpoena
should be served to the person named therein.
2.Always
ask which lawyer issued the subpoena.
You may need to contact him/her directly prior to the court date.
3.Request
separate subpoena for the record of personal health information and for an
individual clinician. Note: A subpoena should not request that the
clinician bring the record of personal health information, as the record does
not belong to the clinician, but to the agency.
The agency should receive the subpoena for the record of personal health
information.
4.All
subpoenas should be directed to the attention of the Manager.
5.Manager
should review the record to ensure that it is complete, accurate and
up-to-date.
6.Manager
should have office staff prepare the record, i.e. number each page, copy
complete record. File subpoena on the
record.
7.Manager
may direct another staff to attend the court with the record of personal health
information.
Court Process:
1.The
Manager (or designate) will attend on the appointed date with the original
record and complete copy.
2.The
Manager (designate) will respond to appropriate questions by the court staff
and request that the copy of the record be entered into evidence and the
original returned to the agency. The
court may or may not accept the copy.
3.You
may be asked some of the following questions:
–
Did you prepare
or oversee the preparation of the photocopy?
–
Hs the record
been prepared as per agency policy?
–
Are you
representing the agency as custodian of the record?
Usually
a “yes” will suffice to the above questions
IMORTANT NOTES:
1.Absolutely
no one has access to the record BEFORE it is entered into evidence
2.As
a clinician, who is subpoenaed, be aware that if you take personal notes with
you, they may be entered into evidence.
Only testify to your own involvement in the case.
Subpoena
January 2006
DUTY TO WARN
Policy: A health information custodian may disclose
personal health information about an individual if the custodian believes on
reasonable grounds that the disclosure is necessary for the purpose of
eliminating or reducing a significant risk of serious bodily harm to a person
or group of persons.
Reference: PHIPA 40 (1)
Procedure:
1.A
clinician who identifies a significant risk should immediate consult with the
Manager.
2.Manager should consult with legal retainer to ensure
that a Duty to Warn exists.
3.In
consultation with the legal retainer, Manager and Clinician can determine the
appropriate direction to take in:
–
Informing an
individual of the risk
–
Consulting with
the local police regarding the risk of harm to a person or group of persons
NOTE: Where there is risk to a
child, under the Child and Family
Services Act, the Clinician should not delay the reporting of such,
but immediately contact an intake worker at Children’s Aid
Society.
Duty
to Warn January 2006
Disclosure/Use of Personal Health
Information without Consent
Policy: If a
health information custodian uses or discloses
personal health information about an individual,
without the
individual’s consent, in a manner that is outside the
scope of the
custodian’s description of its information practices
under clause
(1) (a), the custodian must inform the individual.
Reference: PHIPA 16 (2) (a)
(b) (c)
Procedure:
1.Refer
to Privacy Officer to ensure a consistent approach in handling these
situations.
2.Privacy
Officer will inform the individual of the uses and disclosures at the first
opportunity, unless under section 52, the individual does not have a right of
access to a record of information. (section 52 refers to legal privilege)
3.Privacy
Officer will make a note of the uses and disclosures
4.Privacy
Officer will ensure the note is kept as part of the record of personal health
information about the individual or in a form that is linked to these records.
5.Privacy
Officer should inform a senior person in the event that legal issues arise
(i.e. civil suit)
Disclosure,
Use of PHI without Consent January 2006
PRIVACY OFFICER
JOB DESCRIPTION
Ø The Privacy Officer oversees the development and
implementation of agency-wide privacy principles, policies and practices in
compliance with the Personal Health Information Protection Act, 2004 (“PHIPA”).
Ø The Privacy Officer is responsible for coordinating
all of the agency’s activities with privacy implications, as well as monitoring
all its services and systems to assure meaningful privacy practices.
Ø The Privacy Officer must ensure that all agents of the
agency are informed of their responsibilities with respect to privacy,
including directors, employees, privileged staff members, volunteers, students
and service providers who may access personal health information (“PHI”).
Ø The Privacy Officer also advocates and protects client
privacy by serving as a key privacy advisor for clients, receiving complaints,
handling disputes and managing client inquiries regarding their record of PHI.
Ø The Privacy Officer oversees both the internal use of
PHI as well as the disclosure of PHI to individuals or any external bodies and
advises agency management staff of any data protection issues that may arise.
Requirements:
A.Privacy
Audit
·
Performs (or has
performed) initial and periodic information privacy audits and risk assessments
and conducts related ongoing compliance monitoring activities.
·
Ensures that
appropriate and adequate consents are in place, and that PHI under the care and
custody of the agency is being handled in accordance with PHIPA and agency
policies.
·
Reviews record
retention and destruction policies.
B. Privacy Officer & Team
·
Works with
management to establish a Privacy Team.
·
Provides
development, guidance and assists in the identification, implementation, and
maintenance of agency PHI privacy policies and procedures in coordination with
management, the Privacy Team, and legal counsel (if necessary).
·
Monitors the
proper collection and use of PHI, the flow of PHI into and out of the agency,
and ensures that appropriate data protection is in place.
·
Advises
management of data protection issues that arise.
·
Serves in a
leadership role for the Privacy Team’s activities.
·
Serves as
information privacy consultant to the agency, providing sound privacy advice as
needed.
·
Cooperates with
client advocates, Ontario’s
Information and Privacy Commissioner and agency management in any compliance
reviews or investigations.
·
Reports directly
to the Manager.
C. Privacy Policy
·
Works with the
Privacy Team to develop and update, as necessary, the Agency’s Privacy Policy.
·
Establishes a
“need-to-know” policy to limit access to PHI to necessary recipients only.
·
Works with all
agents involved with any aspect of release of PHI to ensure full coordination
and cooperation under the agency’s policies and procedures and under PHIPA.
·
Ensures
compliance with privacy practices and consistent application of sanctions for
failure to comply with privacy policies for all of the agents in cooperation
with human resources, management, and legal counsel as applicable.
D. Training and Publication
·
Oversees,
directs, delivers, or ensures delivery of privacy orientation, training and
retraining to all managers, employees, volunteers, professional staff,
students, contractors, and other appropriate third parties.
·
Ensures privacy
policy and other privacy information and materials, including Privacy Officer’s
own contact information, are widely available to agency staff, partners and the
public.
·
Responsible for
implementing a process for employees, volunteers and professionals to sign
confidentiality agreements upon commencement and then annually.
·
Initiates,
facilitates and promotes activities to foster information privacy awareness
within the agency.
·
Maintains current
knowledge of applicable federal and provincial privacy laws and monitors
advancements in information privacy technologies and practices to ensure their
adaptation and compliance.
·
Works with
management, legal counsel, and other related parties to represent the agency’s
information privacy interests with external parties (federal or provincial
government bodies) who undertake to adopt or amend privacy legislation,
regulations, or standards.
·
Works with legal
counsel and management, key departments, and committees to ensure the agency
has and maintains appropriate privacy and confidentiality consent authorization
forms and information notices and materials reflecting current agency and legal
practices and requirements.
E. Security
·
Monitors the
security of both hard copy and electronic records.
·
Establishes, with
management and operations, a mechanism to track access to PHI and to allow
authorized individuals to review or receive a report on such activity.
·
Reviews all
system-related information security plans throughout the agency’s network to
ensure alignment between security and privacy practices, and acts as a liaison
to the information systems department.
·
Ensures
“whistleblower” protection in place for staff to report privacy violations.
·
Ensures that data
sharing and confidentiality agreements are in place for all data sharing that
occurs between the agency and third parties.
·
Verifies that
independent privacy assessments of security are undertaken.
·
Ensures that a
privacy crisis management plan and a written security policy are in place.
F. Complaint Process
·
Establishes,
administers and publishes a process for receiving, documenting, tracking,
investigating, and taking action on all complaints concerning the agency’s
privacy policies and procedures in coordination and collaboration with other
similar functions and, when necessary, legal counsel.
G. Access Process
·
Establishes,
administers and publishes a process for responding to requests for access to
PHI.
·
Responsible for
the correction of PHI, as necessary, or the provision of reasons where
correction refused.
·
Works
cooperatively with all agency staff in overseeing client’s right to inspect,
amend, and restrict access to PHI when appropriate.