Privacy and Confidentiality of Patient Personal Health Information

Privacy and Confidentiality of Patient Personal Health Information

PRIVACY AND CONFIDENTIALITY

OF PATIENT PERSONAL HEALTH INFORMATION

Manual/Section: ADMINISTRATION / Policy No. 10
Key Words: personal health information, privacy, confidentiality
1. PURPOSE: / 1.1 To establish a set of uniform rules for the collection, use and disclosure of patientPersonal Health Information in a manner that recognizes the right to privacy of individuals with respect to their Personal Health Information, and the need of Children's Hospital of Eastern Ontario’s (CHEO) to collect, use or disclose Personal Health Information for the purposes outlined in this policy.
1.2To ensure CHEO practices related to collection, use or disclosure of Personal Health Information is compliant with privacy legislationin Ontario.
2. POLICY: / 2.1 CHEO, in the course of carrying out its business, collectsuses and discloses Personal Health Information.
CHEO is committed to protecting the privacy, confidentiality and security of all Personal Health Information to which it is entrusted in order to carry out its mission.
2.2 In accordance with the Personal Health Information Protection Act (PHIPA), 2004, and other relevant legislationCHEO has a corporate responsibility to support and adhere to the followingTen Guiding Principles also known as the Canadian Standards Association’s (CSA) Model Code for the Protection of Personal Information published inMarch 1996. CHEO will adhere to the Ten Guiding Principles as a whole, which will form the basis of CHEO’s Privacy and Confidentiality of Patient Personal Health Information Policy (Appendix A).

Principle 1: Accountability for Personal Health Information
Principle 2: Identifying Purposes for the Collection of Personal Health Information
Principle 3: Consent for the Collection, Use or Disclosure of Personal Health Information
Principle 4: Limiting Collection of Personal Health Information
Principle 5: Limiting Use, Disclosure and Retention of Personal Health Information
Principle 6: Accuracy
Principle 7: Safeguards
Principle 8: Openness
Principle 9: Individual Access
Principle 10: Challenging Compliance

3. SCOPE: / This policy applies to allstaff, employees, physicians, trainees/students, volunteers, consultants, vendors, agents or anyone at CHEO that may use, collect and disclosepatient Personal Health Information stored in any format (e.g. paper, verbal and electronic format, etc).
4. DEFINITIONS: / Agent: any person that, with the authorization of CHEO, acts
for or on behalf of CHEO with respect of Personal Health Information for the purposes of CHEO and not the agent’s own purposes (e. g. service providers, suppliers etc.)
Breach of privacy, confidentiality or security: unauthorized access, collection, use, or disclosure of any Personal Health Information.
Collect:to gather, acquire, receive or obtain the information by any means from any source. Information may be collected in a variety of forms.
Confidentiality:CHEO’s obligation to protect the Personal Health Information with which it has been entrusted.
Disclose:in relation to Personal Health Information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person/organization that is not an agent of CHEO.
Health information custodian:a person or organizations that havecustody or control of Personal Health Information as a result of or in connection with performing the person’s or organization’s powers or duties or the work.
Individual: in relation to Personal Health Information, means the individual, whether living or deceased, with respect to whom the information was or is being collected or created.
Identifying information: includes Personal Health Information that could identify an individual when used alone or in conjunction with other information.
Personal Health Information:is” identifying information” whether verbal, written or electronic form. It includes information about an individual’ health or health care history in relation to:

The individual’s physical or mental health, including family medical history;
The provision of health care to the individual, including the identification of a person as the health care provider, to the individual;
The individual’s health care number and other information that is collected in the course of the providing health services;
Blood or body-part donations;
Payments or eligibility for health care; and
The identity of an individual’s substitute decision-maker

Privacy: provides an individual with the right to control the circulation of information about him//herself within social relationships; freedom from unreasonable interference in an individual’s private life; an individual’s right to protection of information regarding him/her against misuse or unjustified publication.
Record:a record of information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise, but does not include a computer program or other mechanism that can produce a record.
Security: refers to the safeguards or process an organization develops and implements to protect Personal Health Information under its custody or control. New privacy legislation typically requires organizations to implement three different type of safeguards-physical (e.g. locked doors), technical (e.g. passwords and encryption) and administrative (e.g. policies).
Use:in relation to Personal Health Information in the custody or under the control of a Personal Health Information custodian or a person, means to handle or deal with the information.
5. RESPONSIBILITY: / While responsibility for CHEO’s compliance with the Privacy Ten Guiding Principles rests with the Chief Information and Privacy Officer, all individuals who collect, use and disclose Patient Health information are responsible for maintaining the Privacy Ten Guiding Principles (Appendix A) in their day to day work.
5.1 Chief Information and Privacy Officer is responsible to:

Facilitate the custodian's compliance with legislation;
Ensure that all agents of the custodian are appropriately informed of their duties;
Respond to inquiries from the public about the hospital’s information practices;
Respond to requests of an individual for access to or correction of a record of Personal Health Informationabout the individual ;
Receive complaints from the public about the custodian's alleged contravention of privacy legislation;
Chair thePrivacy Advisory Committee;
Monitor privacy, confidentiality and security related activities throughout CHEO. This includes access to Personal Health Information by patients and their families, as well as amendments to Personal Health Information in compliance with current and upcoming federal and provincial laws and the CHEO’s information privacy practices;
Ensure compliance with current Personal Health Information privacy legislation including the privacy principles;
Ensure that all research studies are implemented in accordance with current legal requirements and standards for ethical acceptability, and that they adhere to these principles of privacy, confidentiality and security; and
Reviewpolicies to ensure compliance with current health privacy legislation and best data protection practices in other jurisdictions.

5.2 Directors/ Managers are responsible to:

Ensurecompliance with privacy policies and procedures within their areas of responsibility;
Ensure all staff from both the inpatient units and Ambulatory Care Departments adhere to the privacy, confidentiality and security of PersonalHealth Information they have access to;
Approve Information Technology (IT) requirements for their staff and ensure practices to secure computerized data; and
Ensure all staff, trainees/students documenting electronically have signed CHEO’s “Confidentiality Agreement” (Form No. 6021)

5.3 Staff, employees, physicians, volunteers, researcher trainee/student, consultants, vendor, contractors are responsible to:

Maintain the confidentiality and security of Personal Health Information they have access to;and

Sign the “Confidentiality Agreement” by an effective date.

5.4 Human Resources is responsible to:

Have all staff, employee, physicians, volunteers, researcher, trainee/student, consultant, vendor, contractors or othersignthe “Confidentiality Agreement” (Form# 6021).

5.5 Information Systems(IS) / (IT)is responsible to:

Ensure the network environment has appropriate security commensurate with sensitivity, criticality, etc;
Provide a secure, managed firewall;
Provide reasonable protection from security breaches such as virus attacks and hackers;
Ensure that security is cost-effective based on a cost versus risk ratio, or that is necessary to meet with applicable mandates;
Ensure individual accountability for the appropriate use of information technology;
Conduct regular audits of the network environment,
Inform all end-users of the auditing functions and capabilities; and
Provide a secure environment with authorized physical access to the CHEO’s data processing facilities.

6. PROCEDURE: / 6.1 CHEO has a corporate responsibility to support the following data protection strategies.The strategies include the development and implementation of:

Policies for the protection of all Personal Health Information;
Policies that clearly define and limit access to Personal Health Information;
Data security measures that include physical, technical and administrative safeguards;
A Privacy AdvisoryCommittee to coordinate and monitor privacy related activities throughout CHEO;
Identification of a Chief Information and Privacy Officer;
Appropriate staff education relating to Patient Health Information protection;
Appropriate review processes for research through the Research Ethics Board; and
Regular review of policies to ensure compliance with current health privacy legislation and best data protection practices in other jurisdictions.

7. CROSS- REFERENCES: /

CHEO, Access to and Disclosure of Patient Health Information Policy
CHEO, Access Control to Information Systems Policy
CHEO, Acceptable Use of Information Systems Policy
CHEO, Confidentiality and Protection of Employee Personal Information Policy
CHEO, Consent Policy
CHEO, Retention and Destruction of Health Records Policy
CHEO, Security Of Personal Health InformationPolicy
Authorization to Disclosure of Personal Health Information (Form No. 4010)
Confidentiality Agreement (Form No.6021)
Consent to Disclosure of Personal Health Information (Form No4010)
Patient Consent for Email Communication (Form No.1234)
Protecting the Privacy of Patient Information at CHEO(Form No. P5520E/F)
Withdrawal of Consent for Further Use/Disclosure of Personal Health Information. (Form No.1139)

8. REFERENCES: /

Colleges from Ontario (Audiologist, Child Life Specialist, Child and Youth Counsellor, Diagnostic Medical Sonographer, Dietitian, Genetic Counsellor, Medical Radiation Technologist, Neurophysiology, Nurses, Occupational Therapist, Pharmacist, Physicians and Surgeons, Physiotherapist, Psychologists, Nurses, Registered Respiratory Therapist, Speech Language Pathologist, Social Workers/Registered Social Worker).
Consent to Treatment Act
CSA Model Code for the Protection of Personal Information.

Ontario Health Association (OHS) Guidelines for Managing Privacy, Data Protection and Security

eHealth Ontario Privacyand Data Protection Policy-Version 3
Frequently asked Questions: Personal Health Information Protection Act. February 2005

Ontario Bill 31
Ontario Mental Health Act
Ontario Substitute Decisions Act
Personal Health Information Protection Act (PHIPA), 2004
Personal Information Protection and Electronic Documents Act (PIPEDA)
Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act
PublicHospital’s Act (PHA)
The OttawaHospital (TOH) Privacy Policy 2004

9. ATTACHMENTS: /

Appendix A: Privacy: The Ten Guiding Principles

10. DEVELOPED BY: / Privacy Advisory Committee
Health Records
Information Services

APPENDIX A

PRIVACY

The Ten Guiding Principles

Principle 1: Accountability for Personal Health Information

CHEOis responsible for Personal Health Information under its custody or control. Accountability to CHEO’s compliance with the principles rests with the Chief Information and Privacy Officer, even though other individuals within CHEO are also responsible for the day-to day collection and processing of Personal Health Information.

CHEO is responsible for Personal Health Information that has been transferred to a third party for processing. CHEO will use contractual or other means to provide a comparable level of protection while information is being processed by a third party.

When CHEO retains an externalagent (service providers, suppliers, etc) to assist in providing services, CHEO will enter into a written agreement with the agent which includes: CHEO shall use affiliation agreements or other means to provide a comparable level of protection while Personal Health Information is being processed or accessed by a third party.

A description of the services that the agent will provide;
A description of the administrative, technical and physical safeguards relating to the confidentiality and security of the information;
A statement restricting the use of the information only for the stated purpose and for no other purpose except as permitted or required by law;
A statement that the agent is aware of, and will comply with, their duties as an agent under the Protection of Personal Health Information Act and its regulations;
A statement of the agent’s obligation to notify CHEO at the first reasonable opportunity if Personal Health Information handled by the agent on CHEO’s behalf is stolen, lost or accessed by unauthorized persons; and
A statement that upon termination or expiry of the agreement, all Personal Health Information that the agent may possess as a result of the agreement, in any form, shall be returned to CHEO or destroyed (as appropriate) and that no copies will be retained.

CHEO has policies and practices to give effect to this policy. These include:

Procedures to protect Personal Health Information;
Procedures to receive and respond to complaints and enquiries. Patient/family concerns/complaints would be received and responded through Patient and Family Representative and the Chief Information and Privacy Officer’s office;
Education and communication to all staff/employeesabout CHEO’s policies and procedures; and
Providing oversight and leadership with respect to privacy and protecting Personal Health Information through the Chief Information and Privacy Officer.

All staff/employees/agents and other listed in this policy are responsible to report any breach of this policy. If there is a known breach of confidentiality, the infraction must be reported to CHEO’s Chief Information and Privacy Officer and to the person responsible for protecting the Personal Health Information (e.g. manager, director, etc.). Violation of this policy is grounds for disciplinary action up to and including dismissal. Physicians and residents breaching their duty of privacy and confidentiality as outlined in this policy may be subject to suspension or termination of privileges.

Principle 2: Identifying Purposes for the Collection of Personal Health Information

CHEO will collect Personal Health Information for the following purposes:

Provide clinical care to patients;
Assess resource utilization in the delivery of care;
Plan for the development and delivery of care and services across the City of Ottawa and Eastern Ontario;
Document patterns of illness to support prevention programs and early disease detection. Statistics and quality improvement (including risk management);
Monitor and evaluate the quality of care and the outcomes resulting from that care;
Administration and management of the hospital (including payment claims);
Support and promote research and education;
Support and promote fundraising for CHEO; and
Meet legal and regulatory requirements.

CHEO shall only collect the Personal Health Information it needs to fulfill these purposes.Persons collecting Personal Health Information on behalf of CHEO shall be able to explain to individuals the purpose for which the information is being collected.

The identified purposes shall be specified, at or before the time of direct collection, to the individual from whom the personal health information is collected. Depending on the way in which the Personal Health Information is collected, this will be done orally or in writing through the use of notice sign, brochures, etc.

When Personal Health Information that has been collected is to be used for a purpose not previously identified the consent of the individual or substitute decision-maker will be obtained, unless the new purpose is required by law.

Principle 3:Consent for the Collection, Use or Disclosure of Personal Health Information

The knowledge and consent of the individual are required for the collection, use or disclosure of Personal Health Information, except where it may be inappropriate due to legal, medical or security reasons.

Typically, CHEO will seek consent, whether written or electronic, oral or implied, for the use or disclosure of the information at the time of collection. Users are to use extreme caution when communicating confidential or sensitive information via email (Acceptable Use of Information Systems Policy and Patient Consent for Email Communication). All Health Care Providers must follow their College scope of practice/service regarding the use of electronic mail for communicating Personal Health Information.

CHEO will make a reasonable effort to ensure that the individual is advised orally and in writing (through the use of notice signs and brochures) about the collection, use or disclosure of their Personal Health Information.

Note: When Personal Health Informationis being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. If CHEO does not have a direct relationship with the individual, it may not be able to seek consent.

In certain circumstances, this consent may be sought after the Personal Health Information has been collected but before use (for example, when CHEO wants to use Personal Health Information for a purpose not previously identified). The purposes for the collection, how the Personal Health Information will be used and disclosed will be stated in such a manner that the individual can reasonably understand.

CHEO will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of Personal Health Informationbeyond that required to fulfill the explicitly specified and legitimate purposes. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the Personal Health Information will be used or disclosed.

An individual may withdraw consent (Form No. 1139)at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent has no retroactive effect. CHEO will inform the individual of the implications of such withdrawal.An individual may also place certain conditions on their consent for the collection, use or disclosure of their Personal Health Information. The conditions may not prohibit or restrict any recording of Personal Health Informationthat is required by law or by established standards of professional practice or CHEO policy.