refers to the ability of a person to a) consent to the collection, use or disclosure of PI/PHI b) to understand the information that is relevant when deciding whether or not to consent and c) understand the potential consequences of giving/not giving, withholding or withdrawing consent.
means information that identifies an individual or could possibly be used either alone or with other information, to identify an individual.
Personal Information (PI)
means information that reveals something personal about an identifiable individual and is protected by law. Personal Information includes personal health information.
Personal Health Information (PHI)
means identifying information about an individual in oral or recorded form, if the information:
- relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
- relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
- is a plan of service for the individual,
- relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual,
- relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
- is the individual’s health number, or
- identifies an individual’s substitute decision-maker.
means the Personal Health Information Protection Act, 2001 (Ontario).
means loss of, unauthorized access to, or unauthorized disclosure of PI/PHI and can occur when PI/PHI is stolen, lost or inappropriately shared, either accidentally or on purpose.
All VHA Staff are responsible for the protection of PI/PHI within their possession/access/control and are required to comply with the terms of this policy and its procedures, at all times. This includes always maintaining PI/PHI in strict confidence.
VHA Staff shall inform all individuals providing PI/PHI of why and how VHA collects, uses and discloses their PI/PHI and shall obtain their consent. Individuals have a right to know and determine who can access, view, use and disclose their PI/PHI for the stated purposes and they also have the right to change their mind and withdraw consent.
VHA Staff shall only collect information that is necessary to fulfil the stated purposes and shall ensure that all such information is recorded in a manner that is accurate, reliable, up-to-date and secure.
Only authorized VHA Staff shall be given access to PI/PHI as needed to fulfill their roles/functions. In addition, PI/PHI shall not be used or disclosed for any purposes other than those originally stated at the time it was obtained, except with the further consent of the individual or as permitted by law.
VHA Staff shall only handle PI/PHI in compliance with the procedures outlined in this policy and the applicable related policies, including but not limited to:
- Maintaining PI/PHI in the designated secure areas that are inaccessible to those who are not authorized;
- Never leaving PI/PHI accessible or available for viewing by unauthorized persons;
- Transporting PI/PHI in a way that ensures it is protected from viewing or interception by unauthorized persons;
- Transmitting PI/PHI using only the secure means permitted by VHA and indicating that the information is strictly confidential, only for the use of the identified recipient, and only for the identified purpose;
- Retaining PI/PHI only within the “circle of care”, unless otherwise specifically authorized; and
- Returning PI/PHI to the designated secure areas following active
VHA Staff shall report any known or suspected privacy breaches as soon as reasonably possible to VHA’s Privacy Officer at firstname.lastname@example.org or 416-482-8782.
VHA collects PHI about its clients for the purpose of providing nursing, personal support, homemaking, rehabilitation services and extreme cleaning services, as well as evaluating, quality monitoring, improvement and auditing (including accreditation surveys and professional college audits) and risk management with respect to those services.
VHA collects PI from its employees, independent contractors and volunteers for the purpose of fulfilling legal and contractual obligations as well as management requirements within the employer/contractor relationship and for the protection of the clients that it serves.
VHA Staff responsible for the collection of PI/PHI will identify, before or at the time of collection, the purpose for collecting the information.
If PI/PHI is necessary to a research project, the guidelines set out by the Information Privacy Commissioner will be followed; i.e., an application or proposal must be submitted and reviewed by an ethics panel or research ethics board and, if approved, the researchers must sign confidentiality agreements and no identifiable PI/PHI will be included in the research report or article.
If PI/PHI is to be subsequently used for any other purposes (i.e., outreach, public advocacy) those purpose will be specifically communicated to the individual and consent obtained prior to that use.
VHA will not collect PI/PHI without legitimate purpose. Except as otherwise required by law, both the amount and type of information collected will be limited to what is reasonably necessary to fulfill the purposes for collection.
A summary notice with respect to an individual’s privacy rights at VHA, including the collection, use and disclosure of information, shall be posted on VHA’s website. The website shall also include available contact information for VHA’s Privacy Officer as well as the Information Privacy Commissioner of Ontario.
Complete copies of VHA’s policies and procedures regarding privacy shall be posted on VHA’s intranet, The ‘Loop’.
VHA Staff responsible for the collection of PI/PHI must ensure that each individual understands and consents to the collection, use, disclosure and dissemination of their PI/PHI.
Consent may be communicated either in writing or verbally and may be express or implied depending on the circumstances and as prescribed by law. In all instances, consent regarding the collection, use and disclosure of PHI must be documented. VHA’s current templates and forms should be used, as appropriate.
If assuring knowledge and acquiring consent is impossible or inappropriate because the individual to whom the information pertains lacks capacity, the appointed substitute decision-maker must give consent. If there is no substitute decision-maker or the substitute is unavailable, direction must be obtained from an appropriate VHA manager or the Privacy Officer.
At no time shall consent be forced or obtained through deception.
Withdrawal of Consent
An individual can withdraw their consent at any time as long as doing so meets all legal or contractual obligations and the individual provides reasonable notice. VHA Staff will refer any request to withdraw to the appropriate manager who will handle withdrawals of consent in consultation with the Privacy Officer. The manager is responsible for explaining to the individual the implications of the withdrawal of consent. In the case of a client withdrawing consent, VHA may or may not be able to continue service to the client without collection of, access to, or communication of the PHI at issue.
Where at all possible and reasonable, withdrawal of consent should be in writing and signed by the individual or substitute decision-maker.
Any withdrawal of consent applies to future situations and consent may not be withdrawn retroactively.
All VHA Staff shall sign a confidentiality agreement at the start of their employment/term with VHA and shall annually agree to continue following VHA’s Confidentiality, Non-Solicitation, and Conflict of Interest Policy with respect to all confidential information at VHA, including PI/PHI.
All independent contractors/contractors/suppliers to VHA who will have access to personal information will sign a confidentiality agreement as part of their contract with VHA, and before commencing any work for VHA, that confirms that the confidentiality of VHA information will be maintained and securely stored, at all times. VHA’s Privacy Officer may conduct privacy audits of suppliers/contractors and independent contractors, as necessary, to ensure ongoing compliance with this confidentiality agreement.
Access and Disclosure
VHA Staff shall only have access to PI/PHI on a “need-to-know” basis and system controls are in place to ensure that access is only granted based on the individual’s medical/paramedical/therapeutic and administrative duties as assigned.
Accessing information for any other purpose will be deemed a disclosure that requires prior approval and attention and response by the Privacy Officer.
Clients/employees asking to obtain copies of their client/employee records must submit a formal access request in writing. Client requests are to be submitted to the Records Management Coordinator and employee requests are to be submitted to the attention of the Human Resources (HR) Manager. All such requests must contain appropriate information to positively identify the client/employee and be signed by the client/employee and/or substitute decision maker.
The HR Manager/Records Department will provide a response to the access request within a reasonable period of time, depending on the circumstances, but not more than 10 business days. The HR Manager/Records Department may exercise discretion not to permit review/release of portions of the record if releasing it may harm the physical or mental well-being of the client/employee. The HR Manager/Records Department will not deny access without first consulting with the Privacy Officer. The client/employee may appeal the denial of access to the Privacy Officer and then further to the President/CEO, if necessary.
For copies of the client record/employee file sent externally, for example, requests by lawyers, insurance companies and other third parties, authorization and consent in writing by the client/employee must first be obtained. Any copied records to be sent must use appropriately secure means and indicate that the information is strictly confidential, only for the use of the identified recipient, and only for the identified/requested purpose. VHA may charge a reasonable fee to lawyers, insurance companies and other third parties requesting photocopies of client/employee files.
The release of original client records is permitted only under special circumstances (i.e., court subpoena) and only then by VHA’s Privacy Officer.
No PHI/PI will be released without the written consent of the client/employee except as required by law or in the event of an emergency threatening the health or safety of the client/employee or the health and safety of the public, or in accordance with the exceptions outlined in PHIPA.
Any access to PI/PHI via patient portals or employee self-serve portals made directly by patients/their delegates or employees, respectively, are not considered formal access requests. Such access is not required to follow the procedures described above nor is such access tracked or reported within VHA.
PHI/PI must always be sent and received securely. When PI/PHI is transmitted electronically it must only be sent using secure means as described below.
PHI/PI must never be transmitted through text messaging at any time for any reason.
- PHI/PI sent or received via facsimile shall be through approved VHA internet fax provider “efaxds.ca” where possible and, where that is not possible, from and to secure machines that can be monitored and used by authorized persons only.
- Where “efaxds.ca” is not used, the sender will notify the receiver that the PHI/PI is being transmitted so that the receiver can ensure its security and proper.
- The sender will seek confirmation of receipt of the transmission.
- The sender will indicate that the transmission is confidential and is intended only for the identified recipient and solely for the intended purpose.
- PHI/PI sent or received by email to/from VHA Staff shall be sent through VHA’s secure system using the “@vha.ca” email of the sender.
- All PHI/PI sent or received via e-mail from or to outside third parties shall be encrypted.
- Although it is not secure, clients may wish to communicate with VHA staff by email. VHA staff must advise clients of the risks of communicating by email (i.e. sending PHI over the internet) before confirming the client's consent to use email communication. A template written consent to communicate via email l can be found on the ‘Loop’ intranet and within the electronic medical records system.
- Client PHI received via e-mail must be transferred to the electronic or hard-copy data base files for the client and, as appropriate, erased from the network and e- mail server.
- The sender shall indicate that the transmission is confidential and is intended only for the identified recipient and solely for the intended purpose.
- No PHI/PI contained within e-mails shall be downloaded to hard drives and/or stored, held or retained in an unencrypted form, at any time.
By VHA Approved Secure Portal/Platform
From time to time, VHA, its funders or other client program participants may implement secure portals/platforms that meet all the privacy and security requirements of PHIPA and have been designed or established for the purpose of sharing PI/PHI in a secure, electronic manner. Upon review of the portal/platform by VHA’s privacy and security staff and upon receipt of formal approval by VHA’s Privacy Officer, such secure portals and platforms may be used based on the parameters of the approval given. Parameters of approval may be limited, for example, such portals/platforms may be restricted to specific uses, certain programs, particular data types or other controls.
VHA has appointed a Privacy Officer who is responsible for developing policies and procedures on privacy matters, training all VHA Staff regarding privacy, receiving questions and complaints on privacy matters, conducting regular audits, overseeing compliance with VHA’s legislative requirements, and ensuring the development and maintenance of VHA’s privacy program is consistent with best practices.
The Privacy Officer shall confirm that VHA’s policies, procedures and practices regarding the collection, use and disclosure of PHI/PI meet with VHA’s contractual obligations and that all parties sub-contracted by VHA have comparable levels of privacy protection within their respective organizations.
The Privacy Officer shall be responsible for ensuring that all VHA Staff understand their obligations with respect to privacy/confidentiality through orientation, training and signing agreements when hired or beginning service to VHA. The Privacy Officer shall also provide annual refresher training for all VHA Staff to ensure their understanding remains current and to obtain a re-certification of their commitment to their privacy obligations. Additional ad hoc training will also be provided to individuals and teams, as appropriate.
The Privacy Officer receives privacy breach reports from VHA staff and shall maintain a log of all such incidents. The Privacy Officer will provide advice regarding the handling and prevention of privacy breaches. The Privacy Officer will report privacy breaches to the relevant authorities and shall ensure notice is provided to any affected individuals, accordingly.
VHA Staff are responsible for promptly reporting any and all suspected or actual violations of this Policy and any applicable laws, such as PHIPA, to the Privacy Officer so that the situation can be appropriately investigated, addressed and resolved.
VHA takes every report seriously and will investigate each report to identify the facts and, where necessary, implement improvements to its practices and procedures.
Privacy Impact Assessments
To ensure privacy principles are being taken into account during the design, implementation and evolution of VHA’s programs, initiatives, processes and systems that include PI/PHI, the Privacy Officer or delegate shall conduct privacy reviews and/or privacy impact assessments (PIAs), as appropriate. When conducting reviews and/or PIAs, the Privacy Officer shall develop measures to mitigate, and wherever possible eliminate, any identified privacy risks.
PIAs will be conducted, reviewed and updated as necessary, in the following circumstances:
- On existing programs, initiatives, processes and systems when substantive changes relating to the collection, use or disclosure of PI/PHI are being implemented;
- In the design of new programs, initiatives, processes and systems that involve the collection, use or disclosure of PI/PHI or otherwise raise privacy issues; and
- On any other programs, initiatives, processes and systems with privacy implications, as appropriate.
Complaints, Challenges and Enquiries
All client/employee complaints related to PHI/PI, including VHA’s compliance with privacy legislation or the accuracy of PHI/PI as well as general enquiries about VHA’s policies and procedures related to the handling of information shall be referred to the Privacy Officer. An individual may also challenge the accuracy and completeness of their PI/PHI and make a request to the Privacy Officer to have it revised.
The Privacy Officer is authorized to investigate and respond to complaints, challenges and enquiries regarding privacy matters. The Privacy Officer will explain to enquiring individuals the process VHA uses to investigate and respond to enquiries, challenges or complaints relating to personal information. All complaints and challenges will be thoroughly investigated. The Privacy Officer shall inform the client/employee of the outcome of any investigation or challenge.
If a complaint is found to be valid, VHA will take appropriate measures, including as necessary, revising its policies and procedures. If a request to amend or correct an individual’s record has sufficiently demonstrated that the record was incomplete or inaccurate for the purposes for which VHA uses the information, VHA shall make the correction by recording the corrected information and striking out the incorrect information.
PHI/PI shall be securely stored and then destroyed according to legislation or after 10 years (in the case of clients under the age of 18, ten years beyond the date upon which they reach or would have reached age 18), whichever is greater.
Periodic destruction of inactive or outdated personal information will be conducted in a formal manner following all legal requirements and applicable VHA Policies relating to records retention and disposal.
PHI/PI shall be destroyed by shredding, burning or erasure and reformatting. Records will be kept by the Records Management Coordinator that will clearly document what was destroyed and when.
Any incidental destruction of PHI/PI must be carried out under the specific direction of a Manager and must be documented by the Manager. Records of such destruction shall be retained by the Records Management Coordinator.
- Client Information and Records Management
- Confidentiality, Non-Solicitation, and Conflict of Interest
- Human Resources Files and Release of Information
- Information Security
- Privacy Breach
- Retention and Disposal of Client Records