OUR COMMITMENT TO PRIVACY
Protecting the privacy and confidentiality of personal information is an important aspect of the way Access Healthcare Services Inc Inc. conducts its business. Collecting, using, and disclosing personal information in an appropriate, responsible, and ethical manner is fundamental to Access Healthcare Services Inc Inc.’s daily operations.
Access Healthcare Services Inc Inc. strives to protect and respect personal information of its clients, employees, business partners, and so on in accordance with all applicable regional and federal laws. Each staff member of Access Healthcare Services Inc Inc. must abide by this organization’s procedures and practices when handling personal information. This policy is to be reviewed signed annually.
Consent occurs and is obtained when an individual signs an application or other form containing personal information, thereby authorizing Access Healthcare Services Inc Inc. to collect, use, and disclose the individual’s personal information for the purposes stated on the form or in the Appropriate Use section of this policy.
- Implied consent is granted by the individual when he/she signs the application or form. This allows Access Healthcare Services Inc Inc. to obtain or verify information from third parties (such as banks, credit bureaus, lenders, or insurance companies) in the process of assessing the eligibility of an individual, customer, client, job applicant, or business partner.
- “Agent”: any person authorized by AHSI to act on its behalf in respect of PHI for AHSI’s purposes, whether or not the agent has the authority to bind the custodian, is employed by the custodian, or is being remunerated;
- “Circle of Care”: a group that includes any person who is involved in the care of treatment of a given client and who may rely on implied consent for the collection, use, and disclosure of information for the purposes of providing that client with care;
- “Collect”: to gather, acquire, receive, or obtain PHI by any means from any source;
- “Health Information Custodian”: a person or organization described in Section 3 of the Personal Health Information Protection Act (PHIPA) and who has custody or control of PHI. For the purposes of this policy, this includes AHSI.
- “Personal Health Information (PHI)”: information about an individual, whether in oral or recorded form, that identifies the individual or could enable such identification and that relates to: the person’s health, medical history or past or future medical treatment (e.g. a client’s physical or mental health or personal or family health history; the provision of healthcare to a client; the identity of a client’s healthcare provider or SDM; payments or eligibility for healthcare or healthcare coverage; donations by any individual of any body part or bodily substance; a client’s health number);
- “Privacy Breach”: any intentional or unintentional unauthorized collection, use of disclosure of PHI, including loss of or failure to protect such information;
- “Secondary Use”: Any use of information beyond that for which the information was collected;
- “Staff”: all permanent or temporary, full-time, part-time, casual or contract employees, trainees and volunteers, including but not limited to physicians, residents, interns and students;
- “Substitute Decision-Maker (SDM): a person who is authorized under PHIPA to consent on behalf of a client to the collection, use, or disclosure of the client’s PHI; and
- “Use”: to view, handle or otherwise deal with PHI.
Access Healthcare Services Inc Inc. collects and uses personal information solely for the purpose of conducting business and developing an understanding of its customers. Access Healthcare Services Inc Inc. hereby asserts that personal information will only be used for the following purposes:
- Electronic Data Base directly relevant to client care, scheduling and billing.
- Charts/documentation directly relevant client care.
- Electronic and fax communication and reporting of client care to funding parties (ie. LHIN, City of Ottawa, WSIB).
- Billing procedures for payment of client care.
- Access Healthcare Services Inc Inc. assumes full accountability for the personal health information within its possession and control. Employees are to notify the Privacy Officer of any violations/breach of privacy. This organization has appointed The Director of Client Services, Tammy Hehn, Privacy Officer, as custodian of all privacy matters and legal compliance with privacy laws. Any violation of privacy will be disclosed to person whose information was breached (and Champlain – Local Health Integration Network when applicable); by the Privacy Officer, Tammy Hehn or designate.
- Any violation of this policy is grounds for disciplinary action up to and including dismissal or termination. Under PHIPA, AHSI also has mandatory privacy breach reporting requirements to the Information and Privacy Commissioner of Ontario (IPC) as well as to regulatory colleges.
- Access Healthcare Services Inc Inc. obtains personal information directly from the individual to which the information belongs. Individuals are entitled to know how Access Healthcare Services Inc Inc. uses personal information and this organization will limit the use of any personal health information collected only to what is needed for those stated purposes. Access Healthcare Services Inc Inc. will obtain individual consent if personal health information is to be used for any other purpose. Access Healthcare Services Inc Inc. will not use that information without the consent of the individual.
The Privacy Checklist is to be used prior to approving the release of information for all situations/requests.
- Access Healthcare Services Inc Inc. will retain personal health information only for the duration it is needed for conducting business. Once personal information is no longer required, it will be destroyed in a safe and secure manner. However, certain laws may require that certain personal information be kept for a specified amount of time. Where this is the case, the law will supersede this policy.
- Access Healthcare Services Inc Inc. vows to protect personal information with the appropriate security measures, physical safeguards, and electronic precautions. Access Healthcare Services Inc Inc. maintains personal information through a combination of paper and electronic files. Where required by law or disaster recovery/business continuity policies, older records may be stored in a secure, offsite location.
- Access to personal information will be authorized only for the employees and other agents of Access Healthcare Services Inc Inc. who require the information to perform their job duties, and to those otherwise authorized by law.
- Access Healthcare Services Inc Inc.’s computer and network systems are secured by complex passwords. Only authorized individuals may access secure systems and databases.
- Electronic e-mail is to never include client information. The only client identifiers to be used are BRN and initials. The only employee identifiers to be used are initials.
- Active files are kept in locked filing cabinets.
- Routers and servers connected to the Internet are protected by a firewall, and are further protected by virus attacks or “snooping” by sufficient software solutions.
- Personal information is not transferred to volunteers, summer students, interns, or other non-paid staff by e-mail or any other electronic format.
- Access Healthcare Services Inc Inc. may use personal information without the individual’s consent under particular circumstances. These situations include, but are not limited to:
- Access Healthcare Services Inc Inc. is under obligation by law to disclose personal information in order to adhere to the requirements of an investigation of the contravention of a regional or federal, under the purview of the appropriate authorities.
- An emergency exists that threatens an individual’s life, health, or personal security.
- The personal information is for in-house statistical study or research.
- The personal information is already publicly available.
- Disclosure is required to investigate a breach of contract.
- Access Healthcare staff do not have the authority to access their own PHI or that of family, friends, neighbors, or high-profile clients using any and all clinical information systems unless we are providing care to the client as part of our authorized duties. This remains the case even if verbal consent is obtained.
- Upon request; clients will be informed of:
- AHSI’s privacy statement, which describes AHSI’s privacy and information practices and is posted in high-traffic areas in the organization as well as AHSI’s website;
- Their right to forward an inquiry or make a complaint to AHSI’s Privacy Officer; and
- Their right to obtain access to and/or to request a correction of a record of their PHI.
Accuracy, Access and Correction:
- AHSI will take reasonable steps to ensure that information about clients is accurate, complete, and up-to-date.
- AHSI will record PHI when it is collected or as soon as reasonably possible afterward. Whenever possible, the individual who collects the PHI should be the one recording the PHI.
- When disclosing PHI for any purpose, AHSI will set out for the recipient any known limitation on the accuracy and/or completeness of the information.
- Upon request and verification of identity, clients or their SDMs will be informed of the existence, use, and disclosure of their PHI and given access to that information unless a specific exception applies.
- When an individual demonstrates the inaccuracy or incompleteness of their PHI held by AHSI, we will take steps to amend the information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question. (See Appendix A)
- Personal Health Information Protection Act, 2004, SO 2004, c.3 Sch. A
- University Health Network Policy & Procedure Manual, Administrative – Privacy
- eHealth Ontario, “electronic Health Record Privacy Policies”
- Information and Privacy Commissioner of Ontario, “Detecting and Deterring Unauthorized Access to Personal Health Information” (Toronto: ON, 2015)
- Information and Privacy Commissioner of Ontario, Order HO-014
- Information and Privacy Commissioner of Ontario, PHIPA Order HO-010
- Information and Privacy Commissioner of Ontario, PHIPA Order HO-002
APPENDIX A: CORRECTION TO MEDICAL RECORDS
Correction to medical records held by AHSI is subject to the following:
- A client or SDM can request a correction to a client’s medical record by filling out a Request for Correction to Personal Health Record form, which can be obtained from the Health Records Department.
- AHSI may decline a request to make a correction to a medical record if:
- The information was received from another organization and AHSI does not have enough information to know whether it should be corrected;
- The correction is frivolous, vexatious, or requested in bad faith;
- The medical record is not incorrect or incomplete; or
- The information represents a clinical opinion that was made in good faith.
- When a challenge relating to the accuracy of a medical record is not resolved to the satisfaction of the client or SDM, the individual may write a statement of disagreement. AHSI will record the substance of the unresolved challenge and include the written statement from the individual in the client’s health record.