This policy was created in response to a growing global consciousness of the need for privacy safeguards and assurances of confidentiality with regard to personal information, especially in the health care context in the age of digital information. This policy will ensure that St. Joseph’s Home Care (SJHC) complies with the Fair Information Practice Principles set out in federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) and the provincial privacy legislation, Bill 31, the Health Information Protection Act (HIPA) and specifically, Schedule A, also known as the Personal Health Information Protection Act (PHIPA) relating to the collection, use, disclosure and retention of personal information. This policy is a living document and is expected to change as the body of knowledge in this area grows and as the environment within which SJHC operates, moving from a corporate entity operating exclusively within the confines of St. Joseph’s to participating in data sharing as a member of a Local Health Integrated Network (LHIN) ,and as new challenges are brought to our attention.
To establish guidelines for the collection, use and disclosure of personal health information to protect the rights and privacy of residents and clients of St. Joseph’s Home Care (SJHC) while facilitating optimal care and services in compliance with provincial and federal legislation. The protection of privacy will not be utilized as a barrier to the provision of care.
All affiliates, which include employees, volunteers, students, contract staff, directors, and other persons who act or provide services on behalf of SJHC shall be subject to this policy.
SJHC is in compliance with the Personal Health Information Protection Act (PHIPA) regarding the collection, use and disclosure of personal health information. All personal health information contained in patients’/clients’ records under the control or custody of SJHC shall be regarded as confidential and available only to authorized users. Subject to specific limitations and exceptions, patients/clients (or their legal representatives) may access their own personal health information contained in records under the custody or control of SJHC following the process outlined in this policy.
SJHC is a provider of health and social services to the public and meets the PHIPA definition of a “health care custodian.”
Agent in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated.1
Confidentiality refers to a third party’s obligation to ensure that information is only accessible to those authorized to have access. Thus, confidentiality refers to organizational duties where privacy refers to individual rights. (COACH)
Consent means the informed voluntary agreement with that which is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual. (PIPEDA & PHIPA)
Disclosure means making personal health information available to others outside the organization. (PIPEDA & PHIPA) “Means of release of personal health information to a third party for specific and defined purposes” (COACH)
Health Information Custodian refers to an organization or an agent that is responsible for Personal Health Information. SJHC is responsible for Personal Health Information of our clients and so are our employees as our agents. CCAC is the Health Information Custodian for the clients receiving nursing services from SJHC.
Legal Representative /Substitute Decision Maker (SDM) means a person who has legal authority to make decisions on behalf of another person.
Personal health information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- Age, name, ID numbers, income, ethnic origin;
- Blood type, health insurance number, genetic information, social status;
- Information concerning the physical or mental health of the individual;
- Information concerning any health service provided to the individual;
- Information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;
- Information that is collected in the course of providing health services to the individual; and/or,
- Information that is collected incidentally to the provision of health services to the Individual.
Personal health information does not include the name, title or business address or telephone number of an employee of an organization.
Privacy refers to the right of an individual to control who has access to his or her health information and under what circumstances. (COACH)
Privacy Breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information.
Record means a record of information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise, but does not include a computer program or other mechanism that can produce a record.
Security is characterized as the preservation of the confidentiality, integrity and availability of personal health information. Information security is achieved by implementing policies and procedures based on relevant legislation, standards and ethical principles, careful planning, design, implementation and maintenance of appropriate technology solutions and managing ongoing operations related to the collection, classification, access and disclosure of personal health information. (COACH)
Use refers to the treatment and handling of personal health information within an organization. (PIPEDA & PHIPA)
THE GUIDING PRINCIPLES
Guiding Principles are based on the Canadian Standards Association (CSA) Model Code for the Protection of Personal health information. These 10 Principles of fair information practices form the basis for the provincial Personal health information Protection Act (PHIPA) and other provincial/federal privacy legislation.
The principles stated below, and the ensuing processes described in this document, are inter-related and should be interpreted within the context of the 10 CSA principles.
Principle 1 – Accountability for Personal Information
An organization is responsible for personal health information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
Accountability for SJHC’s compliance with the principles rests with the Privacy Officer, as identified on the organizational chart, although other individuals within the organizations may be responsible for the day-to-day collection and processing of personal health information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s).
The Privacy Officer shall oversee SJHC’s compliance with the principles.
SJHC shall be responsible for personal health information in its possession or custody, including information that has been transferred to a third party for processing. SJHC shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. SJHC employees/agents are responsible for any personal information or personal health information of clients or employees that they have in their possession at all times.
SJHC shall develop and implement policies and practices to give effect to this principle.
SJHC is not responsible for personal health information that is kept in a client’s home via the nature of Home Care. One example would be a client’s charts that remain in the client’s home. The client is fully responsible that their personal health information remains confidential when they have control of the documents.
Principle 2 – Identifying Purposes for Collecting Personal Information
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
The primary purposes for which personal health information is collected are: the provision/delivery of healthcare, billing and accounting purposes, patient health education, teaching of medical and other health care students, quality assurance/risk management activities, research (Admin Policy #06) and statistical analysis, fundraising, and to meet legal and regulatory requirements.
SJHC shall identify the purposes for which personal health information is collected in order to comply with the Openness Principle (#8) and the individual Access Principle (#9).
When personal health information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required or permitted by law, the consent of the individual is required before information can be used for that purpose. Persons who collect personal health information will be able to explain the purpose(s) for which the information is being collected. An admission or appointment form may give notice of the purposes.
Principle 3 – Consent for Collection, Use and Disclosure of Personal Information
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Where possible and practicable, SJHC shall seek consent for the use or disclosure of personal information at the time of collection.
SJHC shall make a reasonable effort to ensure that individuals are advised of the purposes for which the information will be used or disclosed. To make consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
In determining the form of consent to collect, use or disclose personal health information (implied/express, verbal/written), SJHC shall take into account the sensitivity of the information.
In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual referred by Community Care Access Centre (CCAC) will reasonably expect that SJHC, in addition to using the individual’s personal health information for treatment purposes, would also contact the referring physician to report results or place the individual on a waiting list. In some cases – like the aforementioned example – SJHC can assume the individual’s request for services constitutes consent for specific, related purposes. An individual would not reasonably expect that personal health information given to SJHC would be given to a company selling health care products for example, unless consent were obtained.
In certain circumstances personal health information can be collected, used, or disclosed without the consent of the individual. For example, legal or security reasons may make it impracticable to seek consent. When personal health information is disclosed for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. The provision of the Consent to Treatment (ADMIN 09) policy applies to emergency situations, incapable patients and substitute decision makers.
The way in which SJHC seeks consent may vary, depending on the circumstances and the type of information collected. An authorized representative such as a legal guardian, care giver or a person having power of attorney can also give consent.
Individuals may give consent in many ways-for example:
- An admission or appointment form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
- Consent may be given orally when information is collected over the telephone; or
- Consent may be given at the time that the individual receives a service or treatment.
Consent may be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice. Refer to the appropriate form that clients must complete to withdraw consent and once complete a copy is to be sent immediately to the appropriate manager of the department. SJHC staff shall inform the individual of the implications of withdrawal of consent.
Principle 4 – Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
SJHH shall specify the type of information that may be collected as part of its information-management policies and practices, in accordance with the Openness principle. Both the amount and type of personal information collected will be limited to that which is necessary to fulfill the purposes identified.
Consent shall not be obtained through deception or coercion.
Principle 5 – Limiting Use, Disclosure, and Retention of Personal Information
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.
When using personal health information for a new purpose, SJHC will document this purpose.
SJHC and individual departments as appropriate shall develop guidelines and implement procedures with respect to the disclosure and retention of personal health information. Legislative requirements with respect to retention periods may apply.
Patient health records created by SJHC will be maintained such that previous records will be pulled forward and filed with current activity records. Records will be stored in hard copy or electronically backed up on a server on a daily basis until they are eligible for destruction.
Records will be eligible for destruction as follows:
- 8 (eight) years after the date of last contact.
- In the case of a minor the records shall maintained 8 years post their 18 (eighteenth) birthday
- 10 years after the date of last contact..
- In the case of a minor the records shall be maintained 10 years post their 18 (eighteenth) birthday.
For data collection with HOBIC – SJHC agrees to share encrypted data between SJHC and the Institute for Clinical Evaluative Sciences (ICES)
Principle 6 – Accuracy of Personal Information
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
The extent to which personal health information will be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information will be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
SJHC will not routinely update personal health information, unless such a process is necessary to fulfill the purposes for which the information was collected.
Principle 7 – Safeguards for Personal Information
Security safeguards appropriate to the sensitivity of the information shall protect personal information.
The security safeguards will protect personal health information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. SJHC will protect personal health information regardless of the format in which it is held. Each department will routinely review and update its policies to safeguard personal health information, specific to its circumstances.
The methods of protection will include the following measures:
- locked filing cabinets
- restricted access to offices
- CHUBB Alarm system
- Organizational (e.g. confidentiality agreements and limited access for staff)
- Technological (e.g. the use of passwords, access controls and encryption)
SJHC will make its employees aware of the importance of maintaining the confidentiality of personal health information.
Care will be used in the disposal or destruction of personal health information to prevent unauthorized parties from gaining access to the information. Refer to ADMIN 04-02 Destruction of Confidential Information/Records.
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
SJHC shall be open about its policies and practices with respect to the management of personal health information. Individuals will be able to acquire information about its policies and practices without unreasonable effort. This information will be made available in a form that is generally understandable.
Information made available will include:
- The name or title and address of the person who is accountable for SJHC’s policies and practices, and to whom complaints or inquires can be forwarded;
- The means of gaining access to personal health information held by the SJHC;
- A description of the types of personal health information held by SJHC, including a general account of its use;
- A copy of any brochures or other information that explain SJHC’s policies, standards or codes; and,
- The personal health information which is made available to related organizations (e.g. Fundraising)
SJHC may make information on its policies and practices available in a variety of ways and formats. Please refer to ADMIN 011- Confidentiality & Requests for Client Information.
Principle 9 – Individual Access to Personal Information
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Upon request, SJHC will inform an individual whether or not it holds personal health information about the individual. SJHC will allow the individual access to this information according to the current legislation. In order to receive access to one’s own hospital record, a written request must be made to the Privacy Officer or delegate. See appropriate form and return to your immediate supervisor.
An individual may be required to provide sufficient information to permit SJHC to provide an account of the existence, use and disclosure of his or her personal health information. The information provided will only be used for this purpose. SJHC may choose to make sensitive medical information available through a medical practitioner.
When an individual demonstrates the inaccuracy or incompleteness of personal health information to the satisfaction of SJHC, and depending upon the nature of the information challenged and amendment may be made involving the correction, or addition of information that will be included as an addendum to the health record. Clinical opinions will not be deleted. Please refer to the appropriate form for a request to correct information collected.
In certain situations, SJHC may not be able to provide access to all the personal health information about an individual. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed due to legal, security or commercial proprietary reasons and information that is subject to solicitor-client or litigation privilege.
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
SJHC’s Privacy Officer shall be accountable for the organization’s compliance with these Principles. SJHC will put procedures in place to receive and respond to complaints or inquires about policies and practices relating to the handling of personal health information. SJHC is committed to investigate all complaints and take appropriate action including, where necessary, amending policies and practices.
The following references were consulted in formulating this policy:
- PHIPA: Personal Health Information Protection Act (Bill 31: Provincial) Link
- PIPEDA: Personal Information Privacy & Electronic Evidence Act (Federal) Link
- Department of Justice – PIPEDA update
- COACH: Canada’s Health Informatics Association. Security and Privacy Committee. Guidelines for the Protection of Health Information. May, 2001
- Ontario Community Support Association Privacy Guidelines
- St. Joseph’s Healthcare Hamilton Policy