Policy Statement
At Clinic 360 privacy is governed by the Personal Health Information Protection Act (PHIPA), a law that establishes rules concerning the collection, use and disclosure of personal health information. As a health information custodian, Clinic 360 and its agents (including staff, physicians, students and volunteers) are responsible for ensuring that the personal health information of our patients is treated with respect and sensitivity.
Accountability for Personal Health Information
Clinic 360 is responsible for personal health information under its control in compliance with the Personal Health Information Protection Act (PHIPA), 2004.
Accountability for compliance of the Clinic 360 with the policy rests with the Clinic Director, although other individuals within Clinic 360 are responsible for the day-to-day collection and processing of personal health information. Clinic 360 is responsible for personal health information in its possession or custody, including information that has been transferred to an agent of Clinic 360. Clinic 360 will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Clinic 360 has implemented policies and practices to give effect to this policy, including but not limited to:
- Procedures to protect personal health information.
- Signing of a Confidentiality Agreement by all agents of Clinic 360 prior to commencement of employment or affiliation with Clinic 360.
- Procedures to receive and respond to complaints and inquiries about Clinic 360’s information practices.
- Responding to requests for access to, or corrections of, personal health information in the custody of Clinic 360.
Identifying Purposes for the Collection of Personal Health Information
Permitted purposes are the delivery of direct patient care, the administration of the health care system, and meeting legal and regulatory requirements as directed in by PHIPA.
Identifying the purposes for which personal health information is collected at or before the time of collection allows Clinic 360 to determine the information it needs to collect to fulfill these purposes.
We only collect the information that is required to provide patient care and administrative duties which includes but are not limited to communicating with patients, follow up protocols and setting of appointments. We do not collect any other information, or allow information to be used for other purposes, without the patient’s express consent. This excludes where we are authorized to do so by law. These limits on collection ensure that we do not collect any unnecessary information.
Consent for the Collection, Use & Disclosure of Personal Health Information
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal health information, except where inappropriate.
Note: In certain circumstances, personal health information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. Seeking consent may be impossible or inappropriate, for example when the individual is seriously ill or mentally incapacitated. In these circumstances, consent of the individual’s substitute decision maker will be sought, where feasible.
Consent is required for the collection of personal health information and the subsequent use or disclosure of this information. Typically, Clinic 360 will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when Clinic 360 wants to use information for a purpose not previously identified). Clinic 360 will make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Clinic 360 will not, as a condition of providing care, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the specified and legitimate purposes. In obtaining consent, the reasonable expectations of the individual are also relevant. Clinic 360 can assume that an individual’s request for treatment constitutes implied consent for specific purposes. The way in which Clinic 360 seeks consent may vary, depending on the circumstances and the type of information collected.
Individuals can give consent in many ways. For example:
- A form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and specified uses and/or disclosures.
- Consent may be given verbally or in writing at the time that individuals use a health service
- Consent may be given verbally when information is collected over the telephone.
In cases where express consent is required and it is provided verbally, this exchange is documented in the patient’s record of personal health information.
An individual may withdraw consent at any time, subject to legal restrictions and reasonable notice. Withdrawal of the consent will not have a retroactive effect. Clinic 360 will inform the individual of the implications of such withdrawal.
Limiting Collection of Personal Health Information
The collection of personal health information will be limited to that which is necessary for the purposes identified by Clinic 360. Information will be collected by fair and lawful means. Clinic 360 will not collect personal health information indiscriminately. Information collected will be limited to that which is necessary to fulfill the purposes identified. This requirement implies that consent with respect to collection must not be obtained through deception.
Limiting Use, Disclosure & Retention of Personal Health Information
Personal health information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal health information will be retained only as long as necessary for the fulfillment of those purposes. If using personal health information for a new purpose, Clinic 360 will document this purpose. Personal health information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous in accordance to applicable legislation.
Ensuring Accuracy of Personal Health Information
Clinic 360 will take reasonable steps to ensure that information is as accurate, complete, and up to date as is necessary to minimize the possibility that inappropriate information may be used to make a decision about the individual. Limitations on the accuracy and completeness of personal health information disclosed will be clearly set out to the recipient where possible. When an individual successfully demonstrates the inaccuracy or incompleteness of personal health information; Clinic 360 will amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.
When a challenge is not resolved to the satisfaction of the individual, Clinic 360 will record the substance of the unresolved challenge in the form of a letter from the patient stored in the patient’s medical record. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.
Ensuring Safeguards for Personal Health Information
Security safeguards appropriate to the sensitivity of the information will protect personal health information. Security safeguards are used to protect personal health information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Clinic 360 protects personal health information regardless of the format in which it is held. The nature of safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage.
The methods of protection will include:
- physical measures, for example, locked filing cabinets and restricted access to offices
- organizational measures, for example, policies, training, limiting access on a “need-to-know” basis
- technological measures, for example, the use of passwords, secure computer networks, encryption, and audits
Clinic 360 will make its employees aware of the importance of maintaining the confidentiality of personal health information. As a condition of employment, all new Clinic 360 employees/agents (e.g., employee, clinician, volunteer , student, consultant, or contractor) must sign a Confidentiality Agreement with Clinic 360. This safeguard may also be facilitated through contractual provisions. Personal health information being transported outside of Clinic 360 will be done so in a secure manner.
Care will be used in the disposal or destruction of personal health information, to prevent unauthorized parties from gaining access to the information.
Openness About Personal Health Information Policies & Practices
Clinic 360 values patient privacy and acts in accordance to ensure that it is and remains protected. This policy was written to explain how our office practices and upholds federal and provincial requirements for the protection of personal information. This policy describes how our office collects, protects and discloses the personal information of patients and the rights of patients in respect to their personal information. As an office, we are available to answer any patient questions regarding our privacy practices
Individual Access to Own Personal Health Information
Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal health information and will be given access to that information. A written request may be required by Clinic 360 to adequately identify you. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Note: In certain situations, Clinic 360 may not be able to provide access to all the personal health information it holds about an individual. Exceptions to the access requirement will be in accordance with the law. The reasons for denying access will be provided to the individual. Examples may include information that could reasonably be expected to result in a risk of serious harm or the information is subject to legal privilege.
Upon request, Clinic 360 will inform an individual whether or not it holds personal health information about that individual. Clinic 360 will seek to indicate the source of this information and will allow the individual access to this information. However, it may choose to make sensitive medical information available through a medical practitioner.
An individual will be required to provide sufficient information to permit Clinic 360 to provide an account of the existence, use, and disclosure of personal health information. The information provided will only be used for this purpose. In providing an account of third parties to which it has disclosed personal health information about an individual, Clinic 360 will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, Clinic 360 will provide a list of the organizations to which it may have disclosed information.
Clinic 360 will respond to an individual’s request within the period specified in the
Personal Health Information Protection Act and at reasonable cost to the individual. Clinic 360 uses the fee structure recommended by the Information and Privacy Commissioner of Ontario.
Challenging Compliance with Clinic 360’s Privacy Policies & Practices
An individual will be able to address a challenge concerning compliance with this policy. Clinic 360 has procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal health information. Clinic 360 will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. Clinic 360 will investigate all complaints. If a complaint is found to be justified, Clinic 360 will take appropriate measures, including, if necessary, amending its policies and practices.
Complaints can be directed to the Clinic Director at:
(416) 479-5428
Or by e-mail to privacy@thinkresearch.com
Individuals may also make a complaint to the Ontario Information and Privacy Commissioner.
Definitions
Agent – A person that, with the authorization of Clinic 360, acts for or on behalf of the organization in respect of personal health information for the purposes of Clinic 360 and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by Clinic 360 and whether or not the agent is being remunerated. Examples of agents of Clinic 360 include, but are not limited to: employees, volunteer, students, physicians, residents, consultants, researchers, vendors.
Health Information Custodian – Listed persons or organizations under the Personal Health Information Protection Act such as hospitals, who have custody or control of personal health information as a result of the work they do. As a public hospital, Clinic 360 is considered to be a Health Information Custodian (Personal Health Information Protection Act, 2004, Schedule A).
Personal Health Information – Information about an individual whether living or deceased and whether in oral or recorded form. It is information that can identify an individual and that relates to matters such as the individuals physical or mental health, the providing of health care to the individual, payments or eligibility for health care in respect of the individual, the donation by the individual of a body part or bodily substance and the individuals health number. (Personal Health Information Protection Act, 2004, section 4.1) Personal health information can be information about a physician or other care provider, a hospital staff person, a patient, or a patient’s family member. Examples of personal health information include a name, medical record number, health insurance number, address, telephone number, and personal health information related to a patient’s care such as blood type, X-rays, consultation notes, etc.
Record of Personal Health Information – The Personal Health Information Protection Act defines a record as personal health information in any form or in any medium whether in written, printed, photographic or electronic form or otherwise.