This policy applies to all Royal Victoria Regional Health Centre (RVH) staff, privileged medical staff and volunteers, who use, collect and maintain personal health information, personal information and all other types of hospital information.
It is RVH policy that all information collected, used, maintained and disclosed by the hospital or its staff shall be treated in accordance with the Personal Health Information Protection Act (PHIPA) and the Freedom of Information and Protection of Privacy Act (FIPPA).
The first purpose of this policy is to identify the key legislatively defined terms to ensure a consistent understanding of “information”. The second purpose of this policy is to identify the guiding principles for the collection, use, maintenance, dissemination and protection of information that is in the custody or control of RVH.
Personal Health Information (PHI) refers to all health related information, as defined in PHIPA (Section 4) that is linked to identifying information about an individual in either oral or recorded form. Health related information is defined in the legislation as information that:
- relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
- relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
- is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual,
- relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual,
- relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
- is the individual’s health number, or
- identifies an individual’s substitute decision-maker.
Personal information, as defined in FIPPA (Section 2) is recorded information about an identifiable individual including:
- information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
- information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
- any identifying number, symbol or other particular assigned to the individual,
- the address, telephone number, fingerprints or blood type of the individual,
- the personal opinions or views of the individual except where they relate to another individual,
- correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
- the views or opinions of another individual about the individual, and
- the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual;
Privacy is the right of an individual to control his or her own personal information. In other words, a person can determine how, when, and to what extent, they will share information with others. With respect to health information, the right of privacy includes a patient’s right to know of, and exercise control over, any information about them.
Personal Health Information Protection Act (PHIPA)
The PHIPA outlines privacy policies and practices for health information custodians in the province of Ontario. The purposes of the PHIPA are as follows:
- To establish regulations for the collection, use and disclosure of personal health information in a manner that protects the confidentiality of the information and the privacy of the individuals in question.
- To provide individuals with the right to access personal health information about themselves and to correct or amend such information, subject to certain exceptions.
- To provide independent review and resolution of personal health information complaints.
Freedom of Information Privacy Protection Act (FIPPA)
Any record created or which came into the hospital’s custody or control after January 1, 2007 is subject to FIPPA. The purposes of FIPPA are as follows:
- To provide access to information controlled by public sector organizations in the interests of transparency, accountability and the exercise of democracy.
- To protect the privacy of the individuals to whom that information relates.
Consistent with the Personal Health Information Protection Act, (2004) (PHIPA), the hospital’s enterprise-wide approach incorporates the following ten privacy principles:
- Accountability – Designate a contact person to facilitate meeting RVH access and privacy obligations and to deal with any access requests, privacy related inquiries and complaints, and Commissioner’s investigations. For the purposes of FIPPA, the Chair of the Board as the head of the institution designates a contact person under the Delegation of Authority.
- Identifying Purposes – Inform all individuals (patients, employees, volunteers, affiliates, the public, etc.) of the purposes for which their personal health information and/or personal information is collected, used and disclosed, unless otherwise exempted by PHIPA or FIPPA.
- Consent – Rely on implied consent, where appropriate, or obtain express consent from the individual (patients, employees, volunteers, affiliates, the public, etc.) when collecting, using or disclosing personal health information and/or personal information, unless otherwise exempted by PHIPA or FIPPA. Disclosure of personal health information and/or personal information requires the expressed consent of the individual to whom the personal health information and/or personal information relates if not being made by the requestor him/herself.
- Limiting Collection – Limit collection of personal health information and/or personal information to that which is necessary for the identified purposes or for purposes that PHIPA or FIPPA permits or requires.
- Limiting Use & Disclosure – Limit use and disclosure of personal health information and/or personal information to the identified purposes, unless further consent is obtained or use or disclosure is permitted or required by law.
- Accuracy – Take reasonable steps to ensure that personal health information and/or personal information is as accurate, complete and up-to-date as is necessary for the purposes for which it is used or disclosed. Advise the person to whom the information is disclosed of limitations on the accuracy, completeness or up-to-date character of the information.
- Safeguards – Implement appropriate technical, administrative and physical safeguards to protect privacy and confidentiality of personal health information and/or personal information. Ensure staff is informed of privacy and confidentiality requirements.
- Openness – Make visibly available a written statement on the hospital’s information practices (e.g. collection, use and disclosure of personal health information and/or personal information).
- Access – In a timely manner, provide the individual (patients, employees, volunteers, affiliates, the public, etc.) access to, and the ability to correct, their personal health records and/or personal information in a manner consistent with PHIPA or FIPPA.
- Challenging Compliance – Develop and implement a procedure to allow individuals to register a complaint in relation to RVH’s access and privacy practices (Hospital Privacy Toolkit: Guide to the Ontario Personal Health Information Protection Act, Ontario Hospital Association, September 2004).
Staff, privileged medical staff and volunteers shall provide access to recorded information that is in the hospital’s custody or under its control in balance with the protection of personal privacy of individuals. This shall be done in a manner that is compliant with the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Protection Act (PHIPA).
Further, RVH shall ensure systems, policies and procedures are in place to protect the privacy of personal health information and/or personal information under its custody and control in accordance with relevant legislations.
Freedom of Information and Protection of Privacy Act R.S.O 1990, CHAPTER F.31
Personal Health Information Protection Act S.O. 2004, CHAPTER 3
Hospital Privacy Toolkit: Guide to the Ontario Personal Health Information Protection Act, Ontario Hospital Association, September 2004