Privacy Agreement: Smooth Rock Falls Hospital

Search this site

Policy

Smooth Rock Falls Hospital (HSRFH) is committed to protecting the privacy, confidentiality, and security of all personal information to which it is entrusted in order to carry out its mission. Our policy includes the ten principles of the Canadian Standards Association’s Model Code for the Protection of Personal Information.

The ten principles, from which the basis of the Smooth Rock Falls Hospital’s Privacy Policy, are interrelated, and the HSRFH will adhere to the ten principles as a whole (see Appendix A)

The principles in the Model Code for the Protection of Personal Information are supported by nine major data protection strategies. All individuals with access to personal information under the custody or control of HSRFH are responsible for supporting these strategies. (see Procedures)

Definitions

Breach of privacy, confidentiality or security refers to the unauthorized access, collection, use or disclosure of any personal information or personal health information. Breaches can be intentional (ie. Purposely accessing information on your neighbor when you do not require such information for your job.) or inadvertent (ie. Accidentally sending a report to the wrong fax number). Breaches also include a failure to protect personal information or personal health information with which an employee or agent is entrusted (ie. Leaving health records unattented or sharing password)

Collect means to gather, acquire, or obtain information by any fair and lawful means. Information may be collected in a variety of forms (ie. Written, verbal, electronic, photographic, etc.)

Confidentiality is an organization’s obligation to proctect the personal information with which it has been entrusted.

Disclose means to make personal health information available to an organization that is not an agent of HSRFH.

Employee information is defined as personal or job-related information such as, but not limited to: demographics, employment, salary, benefits, employment testing results, and performance data.

Express consent means an organization must ask for an obtain and individual’s permission before collecting, using or disclosing his or her personal information for a specific purpose. An example of express consent would be obtaining a patient’s permission (and signature) before disclosing his or her personal information to an insurance company or employer. Express consent can be obtained verbally, electronically or in writing (ie. with a signature or a check-off box)

Implied consent means an organization does not have to specifically ask for and obtain permission from an individual before collecting, using or disclosing his or her personal information for a specific purpose. For implied consent to be valid, the collection, use or disclosure of personal information must be reasonably obvious to the individual. An example of implied consent would be sending a patient’s name and health record to a specialist after the patient had asked his or her family physician for a referral to the specialist. (By presenting for treatment at the family physician, it is implied that the patient has given his or her permission for their name and personal health information to be sent to the specialist with whom they require an appointment.)

Individual means the individual, whether living or deceased, with respect to whom personal information is or was collected, used or disclosed.

Organization is any entity, including a person, an association whether or not incorporated, a partnership, a health information custodian, or a trade union.

Personal health information is information in any form that concerns an individual’s health medical history or past or future medical treatment, and is in a form that enables or could enable the individual to be identified.

Privacy provides an individual with the right to control the circulation of information about him/herself within social relationships; freedom from unreasonable interference in an individual’s private life; and individual’s right to protection of information regarding him/her against misuse or unjustified publication.

Neon partners are Englehart and District Hospital, Kirkland and District Hospital, Northeast Mental Health Center, Temiskasing Hospital, Sudbury Regional Hospital, Smooth Rock Falls Hospital, and Timmins and District Hospital and other area hospitals will soon be joining.

Research means a systematic investigation designed to develop or establish principles, facts or general knowledge, or any combination of the above, and includes the development, testing, and evaluation of research.

Security refers to the safeguards or processes an organization develops and implements to protect personal information under its custody or control. New privacy legislation typically requires organizations to implement three types of safeguards; physical (ie. locked doors), technical (ie. passwords and encryption) and administrative (ie. policies).

Use means to handle or deal with personal information, including the sharing of such information to an authorized agent of HSRFH (the information is disclosed if it is shared with an organization that is affiliated with HSRFH)

NORrad-Northern Radiology

CRLP-Cochrane Regional Lab Program

ECHN-Electronic Children’s Health Network

NEON-North Eastern Ontario Network

Personal Health Information (PHI) is defined in the Personal Health Information Protection Act, 2004 (PHIPA) and includes information that identifies ( or could reasonably identify) an individual and that is collected in the course of providing health care services to that individual, such as:

Information that relates to the physical or mental health of that individual
That individual’s family history, as reflected in the patient’s record at the hospital
That individual’s payment or eligibility for funding for health care
Information that relates to that individual’s donation of a body part or bodily substance
The identity of that individual’s substitute decision-maker
That individual’s health card number

Appendix A

The 10 Guiding Principles

Accountability
HSRFH is responsible for personal information under its control and has designated an individual referred to as the Privacy Officer, who is accountable for its compliance with the following:
1. Accountability for HSRFH compliance with the principles rest with the designated Privacy Officer even though other individuals with the hospital may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within HSRFH may be delegated to act on behalf of the Privacy Officer.
2. The identity of the Privacy Officer so designated by HSRFH to oversee its compliance with the principles has been made to know.
3. HSRFH is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. It will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
4. HSRFH has affiliation agreements to provide a comparable level of protection while personal health information is being processed or accessed by its regional partners.
  
  HSRFH has implemented policies and practices to give effect to the principles including:
5. Procedures to protect personal information
6. Procedures to receive and respond to complaints and inquiries
7. Training and communicating information with respect to HSRFH policies and practices to staff
8. Developing information to explain its policies and procedures
Identifying Puroposes for the Collection of Personal Information

At or before the time personal information is collected, HSRFH will identify the purposes for which personal information is collected.

HSRFH collects personal information for the following purposes:
1. To direct patient care
2. To monitor and evaluate the quality of care and the outcomes resulting from that care
3. To administer and manage the health care system, including assessment of resource utilization and planning
4. To support and promote fundraising for HSRFH
5. To comply with legal and regulatory requirements
6. Identifying the purposes for which personal information is collected at or before the time of collection allows HSRFH to determine the information needs to collect and fulfill these purposes. The hospital will only collect the information necessary for the purposes that have been identified.
7. HSRFH will specify the identified purposes at or before the time of collection to the individual from whom the personal information is collected. Depended upon the way in which the information is collected, this may be done orally or in writing. An admission or appointment form, for example, may give notice of purposes. A patient who presents for treatment is also giving implicit consent for the use of his or her personal information for authorized purposes.
8. When personal information that has been collected is to be used for a purpose not previously identified, the new purpose is required by law, the consent of the individual is required before the information can be used for the purpose.
9. Persons collecting personal information shall be able to explain to individuals the purpose for which the information is being collected.
Consent for Collection, Use, and Disclosure of Personal Information

The knowledge or consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

NOTE: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitaed. If HSRFH does not have a direct relationship with the individual, it may not be able to seek consent.

Consent is required for the collecton of personal information and the subsequent use or disclosure of this information. Typically, HSRFH will seek consent at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information had been collected but before use (ie. if HSRFH wants to use the information for a purpose not previously identified).
1. HSRFH will make a resonable effort to ensure that the individual is advised for the purposes for which the information will be used. To make the consent meaningful, the purposes will be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
2. HSRFH will not, as a condition of the supply of service, require and individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicit specified and legitimate purposes.
3. The consent from sought by HSRFH may vary. In determining the consent form to use, HSRFH will take into account the sensitivity of the information.
4. Consent will be obtained based on reasonable expectations. HSRFH when collecting personal information for testing and treatment purposes, will assume implied consent and use that information when contacting physician offices to report results.
5. HSRFH will use expressed consent when the information collected is likely to be considered sensitive (ie. HIV testing). Implied consent will be used when the information is less sensitive. An authorized representitive (such as a legal guardian or a person having power of attorney) can also give consent.
  
  Individuals can give consent in many ways. For example:
6. HSRFH may use admission and appointment forms to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing a form, the individual will be considered to be giving consent to the collection and specified uses
7. HSRFH will accept oral consent when information is collected over the phone.
8. HSRFH will seek consent at the time that individuals receive a service or treatment.
9. HSRFH recognizes the individual’s right to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. HSRFH will inform the individual of the implications of such withdrawal.
Limiting Collection of Personal Information

HSRFH will limit the collection of personal information to that which is necessary for the purposes identified. Information will be collected by fair and lawful means.

HSRFH will not collect information indiscriminately. Both the amount and type of information collected will be limited to that which is necessary to fulfill the purposes identified.
Limiting Use and Disclosure

Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.
1. HSRFH will document the uses of the personal information which it collects, develop guidelines, and implement procedures with respect to the retention of personal information.
2. Access to confidential information will be limited by individual for which the information required to perform job functions and according to the hospital’s policy and access. Such information is to be maintained in the strictest confidence as per HSRFH confidentiality and security policies.
3. HSRFH’s policy on retention of records outlines retention periods. Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual acess to the information after the decision has been made. Record retention guidelines are in keeping with legislative requirements with respect to retention periods.
4. Personal information that is no longer required to fulfill the identified purposes will be destroyed, erased or made anonymous according to HSRFH’s hospital policy on destruction of records.
5. Unless a patient tells the hospital otherwise, the hospital will disclose patient information to other healthcare providers in the “Circle of Care” who need to know this information to provide care or help to provide care. The “Circle of Care” includes healtcare professionals, pharmacies, laboratories, ambulance, nursing homes, CCACs, other hospitals in partership with NEON (NORrad, CRLP, eCHN), and home service providers who provide a patient with healthcare services.
6. Unless the patient tells the hospital otherwise, the hospital will inform anyone, who calls or visits, of the patient’s room number.
7. Unless patient tells the hospital otherwise if the patient gives the hospital information about his/her religious affilitation, the hosptital may give the patient’s name and room number to a hospital representative of the patient’s religious affiliation.
8. Unless a patient tells the hospital otherwise, the hospital may give a patient name and address to the respective hospital foundation, which may contact a patient for fundraising purposes. The patient can ask not to be contacted for fundraising at any time.
  
  Sometimes the law requires the hospital to disclose information about a patient (ie. healthcare number) for payment purposes. The hospital will disclose patient information when the law required or permits the hospital to do so.
Ensuring Accuracy of Personal Information

Personal information and personal health information should be as accurate, complete and up-to-date as possible.

Taking into account the interests of the individual, the information collected will be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.

HSRFH will routinely update personal information. Personal information will be updated to support booked or pre-registered visits to HSRFH.

Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will be as accurate and up-to-date as possible.
Ensuring Safeguards for Personal Information

Personal information is protected by security safeguards appropriate to the sensitivity of the information.

HSRH is committed to the protection of personal information against loss or theft, as well as, unauthorized access, disclosure, copying, use or modification, regardless of the format in which it is held.

The safeguards used will vary depending on the sensitivity of the information, the format of the information and the method of storage. A higher level of protection will safeguard more sensitive information, such as health records and financial data.

The methods of protection inlude: physical measures (locked file cabinets, proximity access to health information services, and restricted access to offices), administrative measures (confidentiality agreements signed annually, and access to information limited to a “need-to know” basis), and technological measures (passwords, encryption, and audit trails)

HSRFH provides ongoing education to make its employees aware of the importance of maintaining the confidentiality of personal information. It is also commited to preventing unauthorized parties from gaining access to personal information during its disposal and destruction.
Openness About Personal Information Policies and Practices

HSRFH will make available information about the policies and practices relating to the management of personal information.

Information on the hospital’s policies and practices will be made available in a format which is easily understood and will be available through the Privacy Officer.

The information made available will include:
1. The name, title, and the address of the Privacy Officer to whom complaints or inquiries can be forwarded.
2. The means of gaining access to personal information held by the HSRFH.
3. A description of types of personal information held by the hospital, including a general account of its use.
4. What personal information may be made available to related organizations (ie. the foundations, regional partners).
5. Information on the policies and practices fo the HSRFH with respect to the collection, use, retention, and destruction of personal information is made available through posters in high traffic areas and through mailings on request.
Individual Access to Own Personal Information

Upon request, an individual will be informed of the existence, use, and disclosure (in general terms) of his or her personal information and will be given access to that information according to the policy on release of health information.
1. HSRFH may limit disclosure of sensitive medical information, making it available through a medical practitioner.
2. An individual may be required to provide sufficient information to permit the HSRFH to provide an account of the existence, use and disclosure of his or her personal information.
3. In providing an account of third parties to which it has disclosed personal information about an individual, HSRFH will attempt to be as specific as possible. When it is not possible to provide a list of organizations to which it may have disclosed information about the individual.
4. HSRFH will respond to an individual’s request within a reasonable time and at a defined cost to the individual. The requested information will be provided or made available in a form that is generally understandable. This release will be in accordance with the hospital policy on the release of information. A copy of the hospital policy on acceptable abbreviations will be made available upon request.
5. When an individual successfully demonstrates the inaccuray or incompleteness of personal information, HSRFH will amend the information according to the policy on amendments to personal information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.
6. When a challenge is not resolved the the satisfaction of the individual, HSRH will record the substance of the unresolved challenge according to the policy on admendments to personal information. Where appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question. The challenge will be recorded and filed within the office of the Privacy Officer.
  
  NOTE: In certain situations, the HSRFH may not be able to provide access to all the information it holds about an individual. Exceptions to the access requirements will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
Challenging compliance with HSRFH Privacy Policies and Procedures

An individual will be able to address a challenge concerning compliance with this policy to the Privacy Officer.
1. HSRFH privacy complaints procedure and privacy information request procedures are available through the Privacy Officer.
2. The Privacy Officer will inform indiduals who make inquiries or lodge complaints of the existence of the relevant complaints procedures.
3. HSRFH will investigate all complaints. If a complaint is found to be justified, the hospital will take appropriate measures, including, if necessary, amending its policies and procedures.
  
  Compliance with this Policy
4. All HSRFH’s agents (employees, directors, volunteers, students and professional staff) are required to know and comply with this policy. Confirmation of compliance is required. Any breach of this policy may result in significant disciplinary action including:
5. For employees and volunteers; suspension, demotion and termination
6. For professional staff members; restriction or revocation of privileges, in whole or in part.

Agents may only use patient information as permitted by the HSRFH and within the same legal limitations imposed on the hospital by PHIPA. All agents must notify the privacy officer at the first reasonable opportunity, if patient information is lost, stolen or accessed without authorization.

HSRFH Privacy Officer

HSRFH’s Chief Executive Officer is ultimately responsible for ensuring accountability and compliance with this policy. The Privacy Officer may delegate to others the day-to-day supervision of the collection, use, and disclosure of information.

Message to WebMaster | Privacy