Southlake's Corporate Privacy Policy

Purpose

Southlake Regional Health Centre places high value on the confidentiality of its patients and the protection of personal information. The purpose of this policy is to outline SRHC's requirements for the collection, use, disclosure and retention of personal information, consistent with the standards for privacy protection found in Schedule 1 of PIPEDA and in Ontario's PHIPA, 2004.

Assumptions

1. In the absence of an absolute statutory obligation to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), SRHC had self-regulated for the protection of personal information on employees, patients, donors, and others that is in its custody and control.
2. The Ten Privacy Principles in Schedule 1 of PIPEDA were used as a guide and foundation for SRHC's self-regulatory Privacy Policy.
3. After November 1, 2004, there is a statutory obligation for Southlake to comply with Ontario's Personal Health Information Protection Act, 2004 (PHIPA).
4. PHIPA is thought to be “substantially similar” to PIPEDA, but with particular reference to personal health information. Hence, the PIPEDA-based Privacy Principles underlying SRHC's self-regulatory Privacy Policy are believed to be “substantially” consistent with the expectations of PHIPA.
5. Despite the latter, SRHC's Privacy Policy is being amended to afford greater clarity with respect to its consistency with the expectations of PHIPA.
6. Therefore, as of November 1, 2004, compliance with SRHC's Privacy Policy, as presently amended, has the force of law behind it and the Information and Privacy Commissioner of Ontario has jurisdiction over SRHC's compliance practices.

Definitions

The terms “SRHC” and “Southlake Regional Health Centre” are used interchangeably throughout this Policy. See SRHC's Confidentiality Policy & Procedure (Admin Manual, Admin Section, Code AC 70) for definitions of “Privacy”, “Confidentiality”, “Security” and “Authorized”.

Policy

Principle 1 - Accountability
SRHC is responsible for personal information under its control and has designated an individual who is accountable for its compliance with the principles outlined in this policy.

1. All SRHC staff, affiliated physicians and volunteers are responsible for adherence to this policy during the day-to-day collection and processing of personal information. Ultimate accountability for SRHC's compliance with policy principles rests with SRHC's Privacy Officer and, through him or her, with the Chief Executive Officer (CEO).
2. The identity of SRHC's Privacy Officer will be made known to the general public.
3. SRHC is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. SRHC will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party1.
4. SRHC will implement policies and practices to give effect to this policy, including
1. implementing procedures to protect personal information;
2. establishing procedures to receive and respond to complaints and inquiries;
3. training staff and communicating to staff information about SRHC policies and practices; and
4. developing information to explain SRHC policies and procedures.

Principle 2 - Identifying Purposes for Collection of Personal Information
SRHC, at or before the time information is collected, will identify the purposes for which personal information is collected.

1. Identifying the purposes for which personal information is collected at or before the time of collection allows SRHC to determine the information they need to collect to fulfill these purposes2.
2. The identified purposes will be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. (Brochures, posters and statements on pre-admission forms may, for example, give notice of these purposes.)
3. When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless a law requires the new purpose, the consent of the individual will be obtained before information can be used for that purpose.

Persons collecting personal information will, upon request, be able to explain to individuals the purposes for which the information is being collected.

Top

Principle 3 - Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. Southlake may collect and use personal health information if the collection and use is reasonably necessary for the provision of health care and it is not reasonably possible to obtain the individual's consent in a timely manner. Similarly, Southlake may disclose information to a health care provider if the disclosure is reasonably necessary for the provision of health care and it is not reasonably possible to obtain the individual's consent in a timely manner, except where the individual has expressly instructed the custodian not to make the disclosure. In addition, if SRHC does not have a direct relationship with the individual, it may not be able to seek consent. For example, seeking consent may be impractical where a patient is under consideration for transfer from another facility. In such cases, the facility providing the list would be expected to obtain consent before disclosing personal information.

1. Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, SRHC will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when SRHC wants to use information for a purpose not previously identified).
2. The principle requires "knowledge and consent." SRHC will make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Such consent will not be obtained through deception.
3. SRHC will not, as a condition of the supply of a service or product, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill explicitly specified and legitimate purposes.
4. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney), in accordance with the law, including requirements of Ontario's PHIPA, 2004 and Health Care Consent Act, 1996 regarding the determination of capacity and Substitute Decision Makers.
5. The form of the consent sought by SRHC may vary, depending upon the circumstances and the type of information. In general, SRHC will assume that a reasonable individual attending SRHC implies consent to the use and disclosure of personal health information for the provision of authorized care and treatment.
6. Although SRHC might imply consent to the use and disclosure of personal information for the provision of authorized care, it will not do so if the individual has expressly withheld or withdrawn the consent.
7. If SRHC or its agent does not have the consent of an individual to disclose all the personal health information about the individual that SRHC or its agent considers reasonably necessary for the provision of care, SRHC or its agent will notify a receiving custodian of that fact.
8. Under some circumstances, and particularly when personal information is being collected for some new purpose or is to be used or disclosed for some new purpose, SRHC will seek express consent.
9. Individuals can give express consent in many ways. For example:
1. an admission or an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
2. a check off box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
3. consent may be given orally when information is collected over the telephone; or
4. consent may be given at the time that individuals use an SRHC service.
10. An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. SRHC will inform the individual of the implications of such withdrawal.

Principle 4 - Limiting Collection
The collection of personal information will be limited to that which is necessary for the purposes identified by SRHC. Information will be collected by fair and lawful means.

1. SRHC will not collect personal information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfill the purposes identified.
2. The requirement that personal information be collected by fair and lawful means implies that consent with respect to collection will not be obtained in a misleading manner or through deception.

Top

Principle 5 - Limiting Use, Disclosure, and Retention
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.

1. If SRHC uses or discloses personal health information about an individual without the individual's consent and in a manner that is outside the scope of the our statement of primary purposes for its collection, SRHC will make a note of such uses and disclosures, and inform the individual of the use or disclosure, as the case may be, at the first reasonable opportunity. SRHC will keep the note as part of the records about the individual or in a form that is linked to those records.
2. SRHC will develop guidelines and implement procedures with respect to the retention of personal information. These guidelines will include minimum and maximum retention periods, including those that are subject to legislative requirements. Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made.
3. Personal information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous. SRHC will develop guidelines and implement procedures to govern the destruction of personal information.

Principle 6 - Accuracy
Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

1. The extent to which personal information will be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information will be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
2. Where such a process is necessary to fulfill the purposes for which the information was collected, SRHC will update personal information. It will not, otherwise, routinely do so.
3. Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

Top

Principle 7 - Safeguards
Security safeguards appropriate to the sensitivity of the information will protect personal information.

1. The security safeguards will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. SRHC will protect personal information regardless of the format in which it is held.
2. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. A higher level of protection will safeguard more sensitive information, like medical and health records.
3. The methods of protection will include
1. physical measures, for example, locked filing cabinets and restricted access to offices;
2. organizational measures, for example, security clearances and limiting access on a "need-to-know" basis; and
3. technological measures, for example, the use of passwords, encryption and audits.
4. SRHC will make its employees aware of the importance of maintaining the confidentiality of personal information. All employees and associates of SRHC will read and sign the SRHC Confidentiality/Security Agreement at the time of their engagement and will renew this agreement at intervals to be specified from time-to-time.
5. Appropriate procedures will be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 5.3).
6. SRHC will notify an individual at the first reasonable opportunity if personal health information of the individual held by the custodian is stolen, lost, or accessed by unauthorized persons.

Principle 8 - Openness
SRHC will make readily available to individuals specific information about its policies and practices relating to the management of personal information.

1. SRHC will be open about its policies and practices with respect to the management of personal information. Individuals will be able to acquire information about SRHC's policies and practices without unreasonable effort. This information will be made available in a form that is generally understandable.
2. The information made available will include
1. the name or title, and the address, of SRHC's Privacy Officer who is accountable for SRHC policies and practices and is an individual to whom complaints or inquiries can be forwarded;
2. the means of gaining access to personal information held by SRHC;
3. a description of the type of personal information held by SRHC, including a general account of its use;
4. a copy of any brochures or other information that explain SRHC policies, standards, or codes; and
5. what personal information is made available to related organizations.
3. SRHC may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, SRHC may choose to make brochures and posters available in its place of business, mail information to its customers, provide online access (via corporate website), or establish a toll-free telephone number.

Top

Principle 9 - Individual Access
Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Note: In certain situations, SRHC may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal reasons (including those related to compliance with the Mental Health Act or the Quality of Care Information Protection Act), security reasons, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

• Upon request, SRHC will inform an individual whether or not SRHC holds personal information about the individual. SRHC will try to indicate the source of this information. SRHC will allow the individual access to this information. However, SRHC may choose to make sensitive medical information available through a medical practitioner. In addition, SRHC will provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.
• An individual may be required to provide sufficient information to permit SRHC to provide an account of the existence, use, and disclosure of personal information. The information provided will only be used for this purpose.
• In providing an account of third parties to which it has disclosed personal information about an individual, SRHC will attempt to be as specific as possible. SRHC will put processes and systems in place to enhance our ability to track and report on third party disclosures. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, SRHC will provide a list of organizations to which it may have disclosed information about the individual.
• SRHC will respond to an individual's request within a reasonable time (within 30 days, in most instances or within 60 days following a notification of the individual as to why an extension beyond 30 days is necessary) and at reasonable cost to the individual. The requested information will be provided or made available in a form that is generally understandable. For example, if SRHC uses abbreviations or codes to record information, an explanation will be provided.
• When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, SRHC will amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.
• When a challenge is not resolved to the satisfaction of the individual, SRHC will record the substance of the unresolved challenge. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.

Principle 10 - Challenging Compliance
An individual will be able to address a challenge concerning compliance with the above principles to SRHC's Privacy Officer or, if necessary, to the Chief Executive Officer, or, ultimately, with reference to personal health information, to the Information and Privacy Commissioner of Ontario.

1. SRHC will put procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. The complaint procedures will be easily accessible and simple to use.
2. SRHC will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. A range of these procedures may exist.
3. SRHC will investigate all complaints. If a complaint is found to be justified, SRHC will take appropriate measures, including, if necessary, amending its policies and practices.

References

• Personal Information and Electronic Documents Act, Schedule 1 (Statutes of Canada 2000)
• Personal Health Information Protection Act, 2004 (Statutes of Ontario)
• Quality of Care Information Protection Act, 2004 (Statutes of Ontario)
• Draft of a Privacy Policy for the SRHC Regional Health Centre Foundation,
• David H. Flaherty, (August 25, 2002)
• “Commitment to Patients”, from Protection of Privacy of Personal Information, Information Privacy and Security Policies, St. Michael's Hospital, Toronto (May, 2002)
• Administrative Policy - UHN Privacy, Policy & Procedure Manual, University Health Network, Toronto (August, 2002)

Top

1. Where SRHC provides personal information, like a list of names to the Foundation or a set of data to a contracted firm, it will use contractual or other means to ensure a comparable level of protection while the Foundation or other company is processing the information.

2.Southlake's primary purposes for personal health information collection are those related to Southlake-centred healthcare and for which we will imply consent to collect, use and share that information. They include the delivery of patient care (including promotion of wellness, and the diagnosis, treatment and follow-up of illness), purposes that are required or permitted by law (e.g. to reduce a significant risk of harm to other persons) and those which are typical for the operation of a community/ regional hospital. Such purposes include the teaching of new healthcare providers and the use of personal information to study and improve Southlake services and to support our expense claims. They include the sharing of data with recognized institutions for health information management and its use for approved health research, typically only using data that cannot identify an individual. As provided for in PHIPA, they include both, the sharing of contact information with the hospital's charitable foundation and advising visitors and callers of an individual's presence in hospital, unless he or she “opts-out” of these processes.

Top