This policy applies to all South Georgian Bay Community Health Centre (SGBCHC ) staff, volunteers, students and contracted out services.
This policy addresses the uses of personal information of clients, staff and volunteers. Personal information is any factual or subjective information, recorded or not, about an identifiable individual. Employee personal information does not include the name, job title, work telephone number or work address, or anything that might appear on a business card.
Personal Health Information
Personal Health Information is defined in the Person Health Information Protection Act (PHIPA) as identifying information relating to the physical or mental health of an individual, the provision of health care to an individual, the identification of the substitute decision-maker for the individual and the payment or eligibility of an individual for health care or coverage for health care, including theindividual’s health number. For the purpose of abbreviation, the terms “personal information” and “personal health information” will be interchangeable in this document.
Health Information Custodian
A health information custodian, as defined by PHIPA, refers to a person or organization who has custody or control of personal health information as a result of, or in connection with performing health care services. Examples include: hospitals, pharmacies, community and mental health services, ambulances, LTC facilities, addiction treatment centres, etc. (Custodians do NOT include: housing centres, prison/detention centres, ODSP,OW, police, attorneys, food banks, shelters, CAS, etc.).
In order to provide quality care and services to our clients, we are required to collect and use personal information. The SGBCHC is committed to protecting the privacy, confidentiality and security of all information gathered from clients, staff and volunteers. The purpose of this policy is to ensureSGBCHC’s compliance with relevant legislation (PHIPA), and therefore preventing the inappropriate collection, use and disclosure of personal information.
SGBCHC recognizes the dignity and self-worth of every person and their right to a safe, secure and trusting care environment. The client has the right to considerate and respectful care. The client also has the right to participate in decision making affecting his/her health. Personal information is given to the SGBCHC in trust. It is mandatory that the information remains confidential. It is important that information not circulate outside of the SGBCHC in an unauthorized manner and it also should not pass between staff for reasons other than appropriate consultations (ie. Team huddle and case conferences).
The South Georgian Bay Community Health Centre is responsible for personal information under its control and must maintain its confidentiality at all times. All SGBCHC staff share this responsibility. Our responsibilities in protecting information also entail the assurance that third parties maintain the same levels of privacy as the SGBCHC.
Staff, volunteers, students and associates with access to client and employee information are expected to comply with the Privacy and Confidentiality Policies. As part of their orientation to the Centre, they are asked to sign a Confidentiality Agreement indicating they understand and agree to abide by the policy. A copy of the signed statement will be kept in the personnel/HR record. The obligation of confidentiality remains in effect even after termination of employment.
It is the responsibility of the Executive Director or designate, to ensure that any person having access to client and employee information is made aware of the policies and procedures concerning confidentiality and that each individual sign the Confidentiality Agreement.
The Privacy Lead
The Executive Director may appoint a designated privacy lead. The name and title of this individual will be made available both internally and externally to ensure their accessibility.
The Privacy Lead is responsible for facilitating the organizations compliance with all privacy related legislation. He or she responds to client’s requests for access to or correction of a record of personal health information and responds to inquiries from staff. as well as the public about the Centre’s privacy policies and procedures. Finally, the Privacy Lead may be involved in receiving complaints from staff, clients or the public about privacy and confidentiality-related matters.
The Privacy Lead , along with Senior Management, are responsible for training and communicating to staff, information about the organizations’ privacy policies and practices, such as their duties under PHIPA and the role of the Privacy Lead.
Confidentiality of Staff and Centre Information
Employee, Volunteer and Student Information
Each employee, volunteer and student shall maintain the confidentiality of personnel files or employment records of employees, volunteers and students at the Centre
An employee or volunteer shall not disclose any information about business affairs or operations of the Centre for his/her purpose or the purposes of any other organization or individual.
External or Third Party
Signed Confidentiality Agreements will be signed by non SGBCHC employees that are in attendance/working in areas where confidential information would exist within the SGBCHC.
Purposes of Information Collection
Information will be gathered from the client, participant, employee or third party for specific purposes. This individual must be informed in a meaningful way of the purpose for the collection of personal information at or before the time of collection. SGBCHC shall only collect the information it needs to fulfill the identified purpose. When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use.
Example Purposes for Data Collection:
- To provide direct care
- To contact client’s/volunteers regarding upcoming events
- To submit information required by funding agencies (ie. Ministry of Health)
- To plan programs and services
- To employ individuals
- Quality Improvement ( i.e. Evaluation and chart audits)
- Any other reason needed to provide services
Valid and informed consent of the individual is required for the collection, use or disclosure of personal information, except when required by legislation. The individual’s consent will be obtained before or at the time of collection, as well as when a new use is identified.
Refer to Appendix A Group Consent and Appendix B Request for Medical Release to SGBCHC
Information disclosure will not be made a condition for providing service, unless the information requested is required to provide the specific service.
Consent may be withdrawn and/or withheld at any time. Please refer to Appendix H- Client Consent Withdrawal Form.
Staff and administration shall use consent forms provided by SGBCHC. Signed consent forms must be kept in the client/employee file. Verbal consents must be recorded for easy reference in the client’s file in case an individual requests an account of such information.
When SGBCHC receives personal health information about an individual for the purpose of providing health care to the individual, the Centre is entitled to assume that it has the individual’s implied consent to collect, use or disclose, to a health information custodian only, the information for the purposes of providing health care to the individual. The Centre may NOT make this assumption if it is aware that the individual has expressly withheld or withdrawn his consent. Furthermore, it will not assume implied consent if a client’s personal health information was collected for the other purposes.
Valid and Informed Consent
Informed consent means that the client/employee or Substitute Decision Maker (SDM) has received information that is clear and understanding of the facts, implications and consequences of an action that a person would require in order to decide about the benefits and risks of providing their information and the alternative courses of action and the consequences of not providing their information.
To ensure informed consent, the service provider must disclose to the client the nature of the information gathering, its purpose, any risks, and the consequences of not providing consent. The practitioner must answer any specific questions posed by the client. The client must always be given the opportunity to withdraw their consent.
In order for consent to be “valid”, the following criteria must be met:
- Consent must be voluntary
- The client must have the physical and mental capacity to consent
- The client must have been properly informed.
Verbal consent may be obtained for release of medical information to family members or friends if agreed upon by client. Information regarding who the release of medical information should be disclosed to will be documented in the client’s chart as a “Special Note” with date and who consented the client, as well as who has access to this information.
The capacity to consent to a treatment is not age-dependent and as such, the Most Responsible Provider (MRP) must make a determination of capacity to consent to a treatment, or release of information for a minor just as they would for an adult. If a minor is capable with respect to care, the MRP must obtain consent from the minor directly even if the minor is accompanied by his or her parent(s) or guardian(s). Therefore, if a minor is deemed competent by the MRP, no information can be given without consent to a minor’s parents or SDM.
Competence to Consent
An incapable person cannot provide valid consent. If a practitioner determines a client is unable to consent, a SDM must then act on his/her behalf. All rights of an individual apply to his/her SDM.
People who are judged to be incompetent in one instance are not necessarily incompetent in all instances, and may be capable of consenting in a later situation. Also, people have the right to make unreasonable decisions, as long as they are competent and can demonstrate that they fully appreciate the consequences of their decisions.
When a patient’s mental capacity is in doubt:
- The MRP (ie. MD/NP), makes a judgment as to whether the client is able to appreciate the nature and consequences of their consent
- The MRP, if unable to render an opinion, consults a second service provider, preferably a psychiatrist
- The MRP notes in the client’s chart that competency testing and consultation were undertaken, and the conclusion that was reached
- The proper SDM/MRP must make the decisions when an incapable person cannot provide valid consent
- Findings of incapacity come with obligations according to the law with respect to providing information to clients.
Staff members will:
- limit the amount and type of information gathered to what is necessary for the identified purpose
- ensure that there is a justifiable purposes for obtaining and recording information about a client
- Not collect personal health information by misleading or deceiving individuals about the purpose for which the information is collected.
Staff Access and Disclosure
SGBCHC strives to offer a range of programs and service that are holistic and recognize that a multitude of factors can affect a client’s health and well-being. For this reason, it is important that there are open lines of communication between service providers and SGBCHC programs to ensure the most effective and efficient utilization of services possible. There are both formal and informal means of sharing information ranging from verbal consultation to referral forms and shared care.
SGBCHC will use or disclose personal information only for the purpose for which it was collected, unless the individual consents otherwise, or the use or disclosure is authorized by law.
Disclosure Related to Risk
A health information custodian may disclose personal health information about an individual if the custodian believes on reasonable grounds that the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons. 2004, c. 3, Sched. A, s. 40 (1).
Disclosures Related to Care or Custody
A health information custodian may disclose personal health information about an individual to the head of a panel or other custodial institution in which the individual is being lawfully detained or to the officer in charge of a psychiatric facility within the meaning of the Mental Health Act in which the individual is being lawfully detained for the purposes described in subsection (3). 2004, c. 3, Sched. A, s. 40 (2).
A health information custodian may disclose personal health information about an individual under subsection (2) to assist an institution or a facility in making a decision concerning, (a) arrangements for the provision of health care to the individual; or (b) the placement of the individual into custody, detention, release, conditional release, discharge or conditional discharge under Part IV of the Child and Family Services Act, the Mental Health Act, the Ministry of Correctional Services Act, the Corrections and Conditional Release Act (Canada), Part XX.1 of the Criminal Code (Canada), the Prisons and Reformatories Act (Canada) or the Youth Criminal Justice Act (Canada). 2004, c. 3, Sched. A, s. 40 (3).
Disclosures for Proceedings
A health information custodian may disclose personal health information about an individual, (a) subject to the requirements and restrictions, if any, that are prescribed, for the purpose of a proceeding or contemplated proceeding in which the custodian or the agent or former agent of the custodian is, or is expected to be, a party or witness, if the information relates to or is a matter in issue in the proceeding or contemplated proceeding; (b) to a proposed litigation guardian or legal representative of the individual for the purpose of having the person appointed as such; (c) to a litigation guardian or legal representative who is authorized under the Rules of Civil Procedure, or by a court order, to commence, defend or continue a proceeding on behalf of the individual or to represent the individual in a proceeding; or (d) for the purpose of complying with, (i) a summons, order or similar requirement issued in a proceeding by a person having jurisdiction to compel the production of information, or (ii) a procedural rule that relates to the production of information in a proceeding. 2004, c. 3, Sched. A, s. 41 (1).
Access to Client and Employee Information
Personally identifiable information should be restricted to:
- Staff providing service to the client
- Staff who are providing assistance (e.g. coverage) to the staff that provide services to the client
- Staff assigned to track data
- Appropriate administrative personnel, volunteers and students who access parts of client records to complete their work
- Case discussions (clinical team huddle), consultation
When staff, client or volunteer safety is at risk (reference to Health and Safety Policies and Procedures) this will take precedence. However, in any instance, the minimum amount of information judged necessary to help minimize the potential harm is disclosed.
For problem solving purposes or for finding an appropriate resource for a client, staff do not need to identify clients in any way. Sharing of information is done only when appropriate to provide the client with quality holistic service by our health care team as defined by Circle of Care (see IPC document Circle of Care). If staff members have mutual clients, clients can be identified in discussions. Staff consultations and case management opportunities are essential for updating providers on new and pertinent information about a client, seeking consultation and supervision in serving a client or developing plans of care for such client. This may be in a form of clinical staff huddle/conference or Health Links Case Conference/Think tank. However, in order to provide clients with comprehensive health care, their personal information may be shared among those staff members who are directly involved with their care.
Sometimes a client may wish to specify that certain staff or third parties not have access to the file or to be a part of the information therein (Lockbox). Refer to Lock Box procedure for more information.
Refer to Appendix H Client consent withdrawal.
Day to Day Maintenance in the Limitation of Disclosure
- All records are maintained on an Electronic Medical record. Technological measures are ensured for security ie: use of passwords and encryption, virus protection, firewalls, and regular back-ups of electronic data are stored off site
- Appointment and records books are kept closed when not in use and are stored securely when the employee is not at work
- Client information is not to be discussed in open areas, such as waiting areas, the kitchen, or hallways
- All telephone conversations are kept as private as possible.
- Client data is never to be left on/open on the computer screen where it could be viewed by apasserby, nor is it left on the counter in any office or open area. Staff is required to lock the computer when away from the desk and no visible charts, other than the client they are seeing, should be visible on their screen.
Staff Members will keep informal notes about a client (telephone calls, messages, etc.) that are only needed temporarily. While these notes may not necessarily become part of a client’s file/chart/EMR, they should be treated with the same level of confidentiality and with the same confidentiality practices. When discarding informal notes, care should be taken to ensure that they are destroyed in an appropriate manner. All paper with client information needs to be placed in shredding bins found in the office.
It is the responsibility of Staff Members to:
- Create and maintain client records which are clear, concise, comprehensive, professional and which serve to further the care of the client
- Minimize the possibility of using incorrect information when making a decision about the individual or when disclosing information to third parties (such as referring to a specialist).
Refer to Request of Correction of Client Records Form- Appendix C
The confidential records as well as other documented information belonging to clients and staff members are the property of SGBCHC. It is the responsibility of SGBCHC to take all reasonable precautions to secure the information against loss, fire, theft, defacement, tampering, access or copying by unauthorized people.
Security safeguards are intended to protect personal information. Appropriate security safeguards will be used to provide necessary protection, regardless of the format in which it is held, such as physical measures (e.g. Restricting access to offices), technological tools (e.g. passwords), and organizational controls (e.g. confidentiality agreements, EMR access audit). Employees are to access computers, files and other recorded information of the SGBCHC and its programs only as authorized and required for the effective daily delivery of care and programs.
Telephone, Fax or Email Client Information Disclosure
Information is only disclosed following proper consent practices. Information is never given to anyone ifthere is any question as to the person’s identity. Proper ID must be shown if there is a question about one’s identity.
Refer to Appendix D Client Consent to Use Electronic Communication with SGBCHC and Appendix I, Fax Cover Sheet
Security Measures for the Proper Storage of Information
Secure access shall be assured in all areas where client and employee records are kept including case files, records stored in computer banks, central file areas and any sub-systems created for convenience.
Locked cabinets, locked shelves or a locked room in which records are stored will assure security. Client personal information will not be transmitted via email, including names if the email is about client care issues.
Client files will not be removed from the CHC unless the ED provides special authorization. The removal of confidential information other than client files (eg: meeting information, finance, data) from the CHC is discouraged and must comply with established practices. Anyone removing confidential information is accountable for protecting such information until it is safely returned to the CHC.
Confidential client information stored in computers and external encrypted USB drives, can be accidently destroyed or stolen. It is the responsibility of all users to protect the information stored on their personal computers. Electronic devices (e.g. phones, laptops) must be password protected in the event they are lost or stolen. USB drives must be encrypted and when not in use, stored in the office of the privacy lead or the ED. These can be signed out when needed. Staff who occasionally work from home must ensure they are working over a secure network and that no one else in the home has access to client information. The more confidential and sensitive the information, the more comprehensive the measures to protect it must be taken.
The photocopying of client records is the responsibility of authorized staff. All copies of information sent outside the CHC must be endorsed with the date the material was sent and contain the label “copy”.
The following information will be readily available to staff, Board of Directors, volunteers, students and clients:
- Information about our policies and practices relating to the management of personal information
- Name and contact information for the Privacy Lead (in order to access information, inquire about our privacy policies or make a complaint)
- How access requests should be made
- How an individual can gain access to his or her personal information
- How to comment, complain or inquire about privacy issues and
- How to find information that explains SGBCHC`s policies, standards or codes for confidentiality
SGBCHC will ensure the policies and procedures are understandable and easily accessible.
Clients must be told during their first visit or as required, about the policy of sharing information within the CHC and with professionals to whom they may be referred. They are invited to ask their practitioner further questions. Clients are asked to sign a General Consent form.
It is stressed that information is only shared as necessary to give optimum health care. Clients are assured that no information from their records will be released to anyone except as above without their expressed consent. They are also informed at their first visit that they have access to their personal health records according to SGBCHC’s Policy.
Clients are also made aware of the limits of the Confidentiality Policy and Mandatory Disclosure.
Give Individuals Access
Upon request, a client shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information according to SGBCHC’s policies.
A client/SDM can challenge the accuracy and completeness of the information within the client’sfile/EMR and make requests for any corrections to be made. A client may request that his/her practitioner amend his/her health care record. This amendment will be added to the file however the original will not be altered. The client may further their request to the Privacy Lead or Management. The Privacy Lead will review all requests, make changes to the policy as needed and ensure feedback response meets legislative rights and timeliness.
Refer to Appendix C-Request for Correction of Client Records
Breach of Privacy
Refer to Privacy Breach Procedure as well as Appendix E Privacy Breach Notification Letter, Appendix F- Incident Report and Appendix G-Privacy Lead Investigation of a Privacy Incident.
Follow Appendix J for Breach of Privacy Procedure
If we do not resolve your privacy complaints or concerns, you may address them to:
Privacy Officer, Information and Privacy Commissioners Office of Ontario
2 Bloor Street East, Suite 1400, Toronto, ON, M4W 1A8