PRIVACY AT VHA > FAQs

Frequently asked Questions

Personal health information refers to identifying information about an individual in oral or recorded form, if the information,
  • relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
  • relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
  • is a plan of service for the individual,
  • relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual,
  • relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
  • is the individual’s health number, or
  • identifies an individual’s substitute decision-maker.

Identifying information means information that identifies an individual or for which there is a reasonable basis to believe that the information could be used, either alone or along with other information, to identify an individual.

The Personal Health Information Protection Act (PHIPA) is Ontario’s health specific privacy legislation which came into force on November 1, 2004. PHIPA governs the way personal health information may be collected, used and disclosed within the health sector. It regulates health information custodians, as well as individuals and organizations that receive personal health information from custodians.

PHIPA creates a consistent approach to protecting personal health information across the health sector. The legislation was designed to give individuals greater control over how their personal health information is collected, used or disclosed. PHIPA balances the privacy rights of individuals with the legitimate need of custodians to collect, use and disclose personal health information in order to deliver effective and timely health care and to plan and manage our publicly funded health system.

VHA has appointed a Privacy Officer who is responsible for developing policies and procedures on privacy matters, training all VHA Staff regarding privacy, receiving questions on privacy matters, conducting regular audits of VHA’s compliance with legislative requirements, such as PHIPA, and overseeing compliance within the organization of VHA’s general policies and procedures related to privacy.

If you want to access your personal health information, you should speak with your service provider about any information that you want to know and they can assist you on how to get access to your health information.

If you want to get a copy of your health records, you will be referred to VHA’s Health Records department to view or obtain copies of your health record. The Health Records department will ask you to provide certain information and/or complete certain forms in order for you to access your chart(s). There is no fee to access your health records through the Health Records department.

Members of your family can only see your personal health information with your consent or if they are an appointed Substitute Decision Maker (SDM).

If you are unable to give consent for a family member to access your health records due to reasons of competency or consciousness, the consent decision falls to the appointed substitute decision maker, such as a parent or guardian. This person is bound by law to act on your behalf and must make decisions based on their belief of what you would wish done if you were able to decide.

VHA has a privacy breach protocol to follow in the event of an actual or suspected breach.

VHA Staff are responsible for promptly reporting suspected or actual privacy breaches to the Privacy Officer so that the situation can be appropriately investigated, addressed and handled in accordance with the breach protocol.

VHA takes every report seriously and will investigate each report to identify the facts and, where necessary, effect improvements to its practices and procedures.

VHA’s privacy breach protocol includes:

  1. reporting actual or suspected breach
  2. identifying scope of breach
  3. containment of breach
  4. notification to affected individuals and applicable regulatory bodies

There are 3 components to protecting personal health information at VHA:

  1. Administrative Safeguards: VHA has policies that govern the way all VHA care providers and employees manage personal information, for example, VHA’s Personal Information Privacy Policy, Privacy Breach Policy and Information Security Policy. In addition, all VHA employees receive annual Privacy training and sign a privacy commitment as a condition of employment.

  2. Physical Safeguards: VHA has a number of physical safeguards to ensure protection of personal health information, which range from locked filing cabinets to staff wearing photo identification to identify themselves as VHA employees.

  3. Technical Safeguards: VHA’s IT department upgrades the security capabilities of the information system on an ongoing basis. All system access requires passwords and authentication to protect against inappropriate or improper access and to maintain a record of who has accessed the information. Access rights to VHA staff are given based on their role and their need to access information to complete the functions of their role.

If you believe that your privacy rights have been violated, you have the right to submit a written complaint to VHA’s Privacy Office. All privacy complaints will be treated in a confidential manner.

You may also submit a written complaint to the Information Privacy Commissioner of Ontario at:

Information and Privacy Commissioner / Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario
Canada M4W 1A8
1-416-326-3333
1-800-387-0073
www.ipc.on.ca

VHA’s Privacy Officer may be reached

by email:           privacy@vha.ca

by phone:         416-489-2500 ext. 8782

by fax:               416-644-1829

In person:        30 Soudan Ave, Suite 600 Toronto ON M4S 1V6

Express consent to the collection, use or disclosure of personal health information is consent that has been clearly and unmistakably given. Express consent may be explicitly provided, either orally or in writing.

Implied consent to the collection, use or disclosure of personal health information is consent that can be concluded based on an individual’s action or inaction in the circumstances. For example, when an individual discloses their personal health information for the purpose of receiving care, the service provider can reasonably infer the individual has given consent to the collection of that information.

Under PHIPA, Individuals are deemed capable of consent if they are able to understand information relevant to deciding whether to consent to the collection, use or disclosure of their personal health information, and to appreciate the reasonably foreseeable consequences of giving, not giving, withholding or withdrawing their consent.

If it is believed that an individual is incapable of providing consent, PHIPA permits a substitute decision-maker, such as a relative, spouse, child’s parent, or the Public Guardian and Trustee, to make a decision on an individual’s behalf.

You can withdraw your consent at any time by notifying your service provider and/or VHA’s Privacy Officer that you wish to withdraw your consent. The withdrawal of consent to collect, use or disclose your personal health information may impact our ability to serve you.