Privacy & Health Information
Collingwood General and Marine Hospital (the G&M Hospital) is committed to protecting the privacy, confidentiality and security of all personal health information to which it is entrusted. This policy incorporates the provisions of the Provincial Health Information Protection Act 2004 (PHIPA) and includes the ten principles of the Canadian Standards Association's Model Code for the Protection of Personal Health information.
Personal Health Information is any health information about an individual whether oral or recorded in any form. It includes but is not limited to;
- Any health information related to the physical or mental health of an individual, including past medical history and plan of service.
- Payment or eligibility for healthcare health information.
- Donation of a body or any parts of the body or bodily substance, including any health information derived from testing of a body part or substance.
- An individual's healthcare number.
- Health information that identified a provider of healthcare to the individual or substitute decision-maker of the individual.
1. Accountability for Personal Health Information
Accountability for the G&M Hospital's compliance with PHIPA rests with the Chief Executive Officer, although other individuals within the G&M Hospital are responsible for the day-to-day collection and processing of personal health information. In addition, other individuals within the G&M Hospital are delegated to act on behalf of the Chief Executive Officer, such as the Privacy Officer.
The name of the Privacy Officer designated by the G&M Hospital to oversee its compliance with PHIPA is a matter of public record and is documented at the end of this statement.
The G&M Hospital is responsible for all personal health information in its possession or custody, including health information that has been transferred to a third party for processing.
The G&M Hospital will use contractual or other means to provide a comparable level of protection while the health information is being processed by a third party.
The G&M Hospital will implement policies and procedures, including:
- Implementing procedures to protect personal health information
- Establishing procedures to receive and respond to complaints and inquiries
- Training staff and communicating to staff health information about the G&M Hospital's policies and practices
- Developing health information to explain the G&M Hospital's policies and procedures
2. Identifying Purposes for the Collection of Personal Health Information
At or before the time personal health information is collected, the G&M Hospital will identify the purposes for which personal health information is collected. The primary purposes are:
- the delivery of direct patient care - to care for you and document this care
- the administration of the health care system
- quality improvement
- and meeting legal and regulatory requirements
Identifying the purposes for which personal health information is collected at or before the time of collection allows the G&M Hospital to determine the health information it needs to collect to fulfil these purposes.
The identified purposes are specified at or before the time of collection to the individual from whom the personal health information is collected. Depending upon the way in which the health information is collected, this can be done orally or in writing. A patient who presents for treatment is also giving implicit consent for the use of his or her personal health information for authorized purposes.
When personal health information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless law requires the new purpose, the consent of the individual is required before health information can be used for that purpose.
3. Consent for the Collection, Use, and Disclosure of Personal Health information
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal health information, except where inappropriate.
Note: In certain circumstances personal health information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When health information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the health information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, if the G&M Hospital does not have a direct relationship with the individual, it may not be able to seek consent.
The G&M Hospital will seek consent for the use or disclosure of the health information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the health information has been collected but before use, for example, when the G&M Hospital wants to use health information for a purpose not previously identified.
The principle requires "knowledge and consent". The G&M Hospital will make a reasonable effort to ensure that the individual is advised of the purposes for which the health information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the health information will be used or disclosed.
The G&M Hospital will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of health information beyond that required to fulfil the explicitly specified and legitimate purposes.
The form of the consent sought by the G&M Hospital may vary, depending upon the circumstances and the type of health information. In determining the form of consent to use, the G&M Hospital will take into account the sensitivity of medical and health information.
In obtaining consent, the reasonable expectations of the individual are also relevant. The G&M Hospital can assume that an individual's request for treatment constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal health information given to the G&M Hospital would be given to a company selling health-care products.
The way in which the G&M Hospital seeks consent may vary, depending on the circumstances and the type of health information collected. The G&M Hospital will generally seek express consent when the health information is likely to be considered sensitive (e.g., genetic testing). Implied consent would generally be appropriate when the health information is less sensitive. An authorized representative such as a legal guardian or a person having power of attorneycan also give consent.
Individuals can give consent in many ways. For example:
- An admission form may be used to seek consent, collect health information, and inform the individual of the use that will be made of the health information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
- A check-off box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this health information to third parties;
- Consent may be given orally when health information is collected over the telephone, or
- Consent may be given at the time that individuals use a health service.
- An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The G&M Hospital will inform the individual of the implications of such withdrawal.
4. Limiting Collection of Personal Health information
The collection of personal health information will be limited to that which is necessary for the purposes identified by the G&M Hospital. Health information will be collected by fair and lawful means. Both the amount and the type of health information collected will be limited to that which is necessary to fulfil the purposes identified.
The requirement that personal health information be collected by fair and lawful means is intended to prevent the G&M Hospital from collecting health information by misleading or deceiving individuals about the purpose for which health information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
5. Limiting Use, Disclosure, and Retention of Personal Health information
Personal health information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
Personal health information will be retained only as long as necessary for the fulfilment of those purposes.
If using personal health information for a new purpose, The G&M Hospital will document this purpose. The G&M Hospital will develop guidelines and implement procedures with respect to the retention of personal health information. These guidelines will include minimum and maximum retention periods. Personal health information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the health information after the decision has been made. The G&M Hospital is subject to legislative requirements with respect to retention periods.
Personal health information that is no longer required to fulfil the identified purposes will be destroyed, erased, or made anonymous. The G&M Hospital will develop guidelines and implement procedures to govern the destruction of personal health information.
6. Ensuring Accuracy of Personal Health information
Personal health information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
The extent to which personal health information will be accurate, complete, and up to date will depend upon the use of the health information, taking into account the interests of the individual. Health information will be sufficiently accurate, complete, and up to date to minimize the possibility that inappropriate health information may be used to make a decision about the individual.
The G&M Hospital will not routinely update personal health information, unless such a process is necessary to fulfil the purposes for which the health information was collected.
Personal health information that is used on an ongoing basis, including health information that is disclosed to third parties, will generally be accurate and up to date, unless limits to the requirement for accuracy are clearly set out.
7. Ensuring Safeguards for Personal Health information
Security safeguards appropriate to the sensitivity of the health information will protect personal health information.
The security safeguards will protect personal health information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
The G&M Hospital will protect personal health information regardless of the format.
The nature of the safeguards will vary depending on the sensitivity of the health information that has been collected, the amount, distribution, and format of the health information, and the method of storage.
The methods of protection will include:
- Physical measures; locked filing cabinets and restricted access to offices;
- Organizational measures; limiting access on a "need-to-know" basis, and
- Technological measures; the use of passwords, encryption, and audits.
The G&M Hospital will make its employees aware of the importance of maintaining the confidentiality of personal health information. As a condition of employment, all new the G&M Hospital employees/agents (e.g., employee, clinician, physician, allied health, volunteer, student, consultant, vendor, or contractor) must sign the G&M Hospital Confidentiality Agreement.
Care will be used in the disposal or destruction of personal health information, to prevent unauthorized parties from gaining access to the health information.
8. Openness About Personal Health information Policies and Practices
The G&M Hospital will make readily available to individuals specific information about its policies and procedures relating to the management of personal health information.
Individuals will be able to acquire information about its policies and procedures without unreasonable effort. This information will be made available in a form that is generally understandable.
The information made available will include:
- The name or title, and the address, of the Privacy Officer, who is accountable for the G&M Hospital's privacy policies and procedures, and to whom complaints or inquiries can be forwarded;
- The means of gaining access to personal health information held by the G&M Hospital;
- A description of the type of personal health information held by the G&M Hospital, including a general account of its use;
- A copy of any brochures or other health information that explains the G&M Hospital's policies, standards, or codes, and
- What personal health information is made available to related organizations.
The G&M Hospital may make information on its policies and procedures available in a variety of ways. For example, the G&M Hospital may choose to make brochures available in its place of business, mail information to its clients, post signs, provide online access, or establish a toll-free telephone number.
9. Individual Access to Own Personal Health information
Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal health information and will be given access to that health information. An individual will be able to challenge the accuracy and completeness of the health information and request to add a correction or amendment as appropriate.
Note: In some limited/specific situations, the G&M Hospital may not be able to provide access to all the personal health information it holds about an individual. The reasons for denying access will be provided to the individual upon request. Exceptions may include health information that is prohibitively costly to provide, health information that contains references to other individuals, health information that cannot be disclosed for legal, security, or commercial proprietary reasons, and health information that is subject to solicitor-client or litigation privilege.
Upon request, the G&M Hospital will inform an individual whether or not it holds personal health information about the individual. The G&M Hospital will seek to indicate the source of this health information and will allow the individual access to this health information. However, it may choose to make sensitive medical health information available through a medical practitioner. In addition, the G&M Hospital will provide an account of the use that has been made or is being made of this health information and an account of the third parties to which it has been disclosed.
An individual will be required to provide sufficient data to permit the G&M Hospital to provide an account of the existence, use, and disclosure of personal health information. The data provided will only be used for this purpose.
In providing an account of third parties to which it has disclosed personal health information about an individual, the G&M Hospital will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed health information about an individual, the G&M Hospital will provide a list of the organizations to which it may have disclosed health information about the individual.
The G&M Hospital will respond to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested health information will be provided or made available in a form that is generally understandable. For example, if the G&M Hospital uses abbreviations or codes to record health information, an explanation may be provided.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal health information, the G&M Hospital will amend the health information as appropriate. Depending upon the nature of the health information challenged, amendment involves the correction, deletion, or addition of health information. Where appropriate, the amended health information will be transmitted to third parties having access to the health information in question.
When a challenge is not resolved to the satisfaction of the individual, the G&M Hospital will record the substance of the unresolved challenge. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the health information in question.
Challenging Compliance with the G&M Hospital's Privacy Policies and Practices
An individual will be able to address a challenge concerning compliance with this policy to the Privacy Officer.
The G&M Hospital will put procedures in place to receive and respond to complaints or inquiries about its policies and procedures relating to the handling of personal health information. The complaint procedures will be easily accessible and simple to use.
The G&M Hospital will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. A range of these procedures may exist.
The G&M Hospital will investigate all complaints. If a complaint is found to be justified, the G&M Hospital will take appropriate measures, including, if necessary, amending its policies and procedures.
Requests for Release of Patient Information can be processed by contacting the Health Information Systems department at:
459 Hume Street
705-445-2550 Ext 8275
Note this is a voice mail system - please leave a detailed message including your full name and telephone number and the nature of your request.
All requests for Health Information are managed by consent from the patient, which can be managed by attending to the hospital at the above address.
Requests for Health Information for clinical purposes such as copies of test results for physicians will be managed directly for the patient.
A request for Health Information from lawyers, insurance companies or other third parties is only processed with a valid consent from the patient and payment of the appropriate fees:
- Basic record/result up to 20 pages:$30.00
- More than 20 pages:$30.00 plus .25 each additional page
Patients may request a copy of their record and will be required to sign consent and pay the appropriate fees as above.
Under Freedom of Information and Protection of Privacy Act, you may appeal any decision regarding access to the Ontario Information and Privacy Commissioner within 30 days from the date of receipt of the letter denying your request.
Appeals are to be submitted in writing to the Ontario Information and Privacy Commissioner at:
2 Bloor St, East (Suite 1400)
Toronto, ON M4W 1A8
Tel. 416-326-3333 or Toll Free. 1-800-387-0073
Fax 416-325-9195 or 515-832-9400