LAKEVIEW FHO PRIVACY POLICY

Original Issue:  May 6, 2021

Last Revision:   

Reference:         PHIPA (2004) & Ontario Regulation 224/17 (2017)

Authorized by:   Lakeview Family Health Organization Lead Physician


Introduction

Overview

This policy applies to physicians of the Lakeview Family Health Organization (LFHO).  

The LFHO maintains privacy in compliance with the Personal Health Information Protection Act (PHIPA) 2004, which establishes rules for the collection, use and disclosure of personal health information about individuals, and that protects the confidentiality of that information and the privacy of individuals with respect to that information while facilitating the effective provision of health care. The LFHO leases an Electronic Medical Record (EMR) solution provided and secured by Telus who is the Health Information Network Provider (HINP). It is paid for and used by the LFHO physicians (and used by their respective employees).  

Purpose

The purpose of this Privacy Policy is to describe the LFHO’s role as a Health Information Custodian (HIC) of Personal Health Information (PHI) and describes the LFHO’s obligations and requirements for the protection of patient privacy, and appropriate management of PHI, as defined by PHIPA, regulations, and best practices.

Scope

This policy applies to all LFHO physicians and their respective employees, and all personnel affiliated with third-parties who are contracted by the LFHO to provide services to the LFHO and it’s physicians.  They are responsible for the privacy and confidentiality of the personal health information that they collect, use and disclose in their role(s) of Health Information Custodian (HIC) and/or Agent of an HIC.


Privacy Governance

2.1 The LFHO has a privacy and security governance structure that distributes accountability and responsibility for privacy and security to the appropriate individuals and bodies.

2.2 The following individuals comprise the privacy and security governance structure of the LFHO.

  • LFHO Lead Physician

  • LFHO Privacy Liaison

  • AFHT Privacy Officer

2.3 The LFHO has overall accountability for protecting privacy within the LFHO and will approve the privacy policies on the recommendation of the LFHO Lead Physician, LFHO Privacy Liaison, and AFHT Privacy Officer. The LFHO is accountable for ensuring that the LFHO has implemented a privacy program to support the compliance of PHIPA and the regulation. 

2.4 The LFHO will appoint the LFHO Privacy Liaison who will work with the AFHT Privacy Officer to ensure that the privacy program is implemented effectively and efficiently.

2.5  The AFHT Privacy Officer will:

  • Prepare monthly privacy reports for LFHO’s Physicians

  • Direct privacy reviews, assessments and audits

  • Act as the point of contact for the LFHO Privacy Liaison to manage privacy inquiries and complaints , resolve and investigate privacy and security incidents and breaches in collaboration with the HIC

2.6 The LFHO Privacy Liaison will in collaboration with the AFHT Privacy Officer :

  • Prepare and update an annual plan for the LFHO’s privacy program

  • Oversee and manage the execution of the privacy program within the LFHO

  • Ensure that the LFHO complies with its privacy obligations as defined in PHIPA and its regulation, other relevant legislation, and its own policies

  • Review monthly privacy reports from the AFHT Privacy Officer

  • Provide guidance on the resolution of privacy issues, including but not limited to:

    • privacy complaints

    • privacy and security incidents

    • results of assessments, audits and threat and risk assessments

    • recommendations for changes to the LFHO’s privacy policies and procedures

  • Publish privacy notices within the LFHO

  • Maintain a risk registry to monitor risk mitigation activities (PL)

  • Maintain an action plan to continuously improve the privacy management program

  • Ensure that the LFHO’s employees are aware of privacy and security concepts, principles, and privacy and security policies and procedures

  • Ensure the LFHO’s employees and its physicians sign confidentiality agreements and complete privacy training on an annual basis.

  • Monitor the privacy management and operations processes within the LFHO to identify non-compliance issues, gaps and deficiencies as well as opportunities for improvement.

  • Report privacy and security issues (risk, gaps, deficiencies, opportunities for improvement) with serious privacy and security impact to the HIC and AFHT Privacy Officer.

  • Provide privacy advice and guidance to the LFHO physicians and employees.

  1. Privacy Policy

Legal Obligations

3.1    Health information custodians (HIC) within the LFHO are responsible for ensuring that the personal health information (PHI) of their patients and clients is treated according to the requirements set out in PHIPA and its regulation.

Consent for the Collection, Use and Disclosure of Personal Health Information

3.2.1 The knowledgeable consent of the individual is required for the collection, use or disclosure of PHI.

3.2.2 HIC’s inform patients of the purposes for collection, use and disclosure of PHI.

3.2.3 The express consent of patients is obtained:

  1. for disclosures to people or organizations that are not health information custodians under PHIPA;

  2. for disclosures to health information custodians that are not for the purpose of providing health care;

  3. for uses and disclosures the purpose for which was not communicated when consent was initially obtained by the primary care provider.

3.2.4 The LFHO’S HICs and/or agents conduct assessments on the capacity of patients to provide knowledgeable consent, and will work with a patient’s family and caregivers to determine a substitute decision maker for the patient or client where she or he is assessed to be incapable of providing knowledgeable consent. The LFHO’S employees will never obtain consent through deception or coercion. 

3.2.5 LFHO employees respect a patient’s right to request that her or his PHI be withheld from specific individuals and organizations, and will take reasonable measures to ensure that PHI is withheld from the specified individuals and organizations. 

Limiting the Collection, Use and Disclosure of Personal Health Information

3.3.1 At or before the time PHI is collected, the HIC and/or agent identifies the purposes for which the personal health information is collected.  

3.3.2 The HIC and/or agent limits the collection, use and disclosure of PHI to only the information that is required to fulfill the purposes that were identified to patients before collection.

3.3.3 The collection of PHI is limited to that which is necessary for the purposes identified by the primary care provider.

3.3.4 Permitted purposes include:

  • The delivery of patient care

  • The administration of the health care system

  • Research with prior approval of HICs and/or Corporation

  • Teaching

  • Statistics

  • Meeting legal and regulatory requirements as described in PHIPA


Retention, Archiving and Destruction of Personal Health Information

3.4.1 All PHI should be retained only for the time period required to fulfill the purposes for which the information was collected, or as authorized or required by legislation.

3.4.2 PHI should be retained for 10 years or 10 years after the patient becomes 18. 

3.4.3 PHI that is no longer required by the primary care provider for its identified purposes is securely destroyed or rendered irretrievable to prevent unauthorized access to the information

Openness

3.5   The LFHO has made available its Privacy Policy public by posting the policy at each site.  The Policy includes the LFHO’s feedback process and contact information for that process. 

Patients’ Privacy Rights

3.6.1 The HIC will inform the patient of the existence, use and disclosure of his or her PHI. Upon request, an individual will be given access to that information according to PHIPA legislation. 

3.6.2 Each HIC will take reasonable steps to ensure that personal health information is accurate, complete and relevant as is necessary to minimize the possibility that inappropriate information may be used for a specified purpose.

3.6.4 Each HIC will respond to inquiries and complaints received directly from patients and clients. Patients and clients may also submit formal inquiries and complaints regarding the LFHO’s privacy program and privacy practices by following the LFHO’s feedback process.  

Safeguards

3.7   The LFHO has implemented appropriate information security safeguards to protect PHI from unauthorized collection, use or disclosure, including:

    • mandatory annual privacy training and awareness activities for all physicians and employees in collaboration with AFHT

    • confidentiality agreements and privacy agreement signed annually by all physicians and employees

    • technical safeguards such as encryption of PHI

    • auditing & reporting (annually since 2019)

Incident Management

3.8.1 The LFHO will inform patients of the loss, theft or inappropriate access of their PHI as soon as reasonably possible.

3.8.2 All LFHO employees receive training in support of the containment, resolution and investigation of privacy and security incidents within the LFHO. 

3.8.3 For every confirmed privacy incident, the Privacy Officer will oversee an incident response procedure to:  

      • contain the incident;

      • in collaboration with the HIC , investigate the incident to determine the nature, scope and root cause of the incident;

      • notify affected patients regarding the incident

      • in collaboration with the HIC notify the Information and Privacy Commissioner of Ontario and regulatory colleges if appropriate

      • evaluate the cause(s) of the incident and conduct remediation activities as required.


Training and Awareness

3.9.1 As a condition of employment, all new LFHO employees/Agents must sign a confidentiality agreement and a privacy agreement. 

3.9.2 The LFHO Privacy Liaison makes its employees aware of the privacy concepts, privacy principles, privacy requirements, and privacy practices of the LFHO through annual training and review of its policies and procedures.

3.9.3 The LFHO in collaboration with Algonquin Family Health Team provides ongoing training and awareness to ensure employees and Agents are provided with the tools and support appropriate to enable them to fulfill their duties as it relates to the privacy of PHI.

Privacy Policy Maintenance 

While this policy is expected to be long-term, changes will be needed to keep it up to date with the changes in internal and external environment.  The content in this policy will be reviewed at least annually and more frequently as needed. Employees will be advised of changes in content within 30 business days of those changes.




Appendix A: Glossary

Terms & Definition

Agent

An Agent is someone who is authorized by a Health Information Custodian (HIC) to do anything on behalf of the custodian with respect to personal health information and in support of the provision of care. LFHO employees when in the circle of care are Agents of the affiliated physicians.

LFHO

The group of family physicians within the Lakeview Family Health Organization

Collect

As defined in section 2 of PHIPA, “collect” means to gather, acquire, receive or obtain the information by any means from any source, and “collection” has a corresponding meaning.

Confidentiality

The property and/or information that is not made available or disclosed to unauthorized individuals, entities, or processes. 

Consent

Consent is defined in PHIPA PART III, under sections 18 – 28. 

Under PHIPA section 18(1)(b) in order for consent to be valid; consent must be knowledgeable. Knowledgeable consent is defined in section 18(5) as: A consent to the collection, use or disclosure of personal health information about an individual is knowledgeable if it is reasonable in the circumstances to believe that the individual knows;

  • the purposes of the collection, use or disclosure, as the case may be; and

  • that the individual may give or withhold consent. 2004, c. 3, Sched. A, s. 18 (5).

Consent can be either implied or express, but in order to be valid the consent must be knowledgeable.

Consent Directive

An individual’s request to place restrictions on the use or disclosure of his/her personal health information by either expressly withdrawing or withholding consent is referred to as a “consent directive.” 

Consent directives are implemented through “blocking” mechanisms in the EMR or physical restriction to access the personal health information record on non-electronic format such as paper records. 

Disclose

As defined in section 2 of PHIPA, “disclose” refers to making personal health information “available” or “to release it to another health information custodian or to another person.” 

Express consent

“Express consent” means asking a patient to expressly provide his/her permission (which may be provided either orally or in writing) to collect, use or disclose his/her personal health information. 

Health Information Custodian (“HIC”)

“Health information custodian”, subject to subsections (3) to (11) of PHIPA, means a person or organization described in PHIPA who has custody or control of personal health information as a result of performing the person’s or organization’s powers or duties. (See PHIPA for a complete definition.)

Implied consent

Implied consent refers to situations in which it is reasonable to infer that the client is consenting by the action that they have taken, and it is not necessary to specifically (or expressly) ask for the client’s consent. For example, when a client allows their blood to be drawn at a medical laboratory, it is implied that they consent to the results of their blood work to be disclosed to the ordering clinician. Similarly in community care, when a client fills out an intake form that clearly identifies the purposes of the form and what it will be used and who it will be shared with.

Lakeview FHO

LFHO of family physicians who provide primary care as outlined in their agreement with the Ministry of Health and Long Term Care of Ontario

Lakeview Lead Family Physician 

The representative physician of the Lakeview FHO physicians

Personal Health Information (PHI)

Identifying information about an individual in oral or recorded form, if the information as referenced in Personal Health Information Protection Act, 2004 (PHIPA or Act):

  • Relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family;

  • Relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual;

  • Is a plan of service within the meaning of the Home Care and Community Services Act 1994, for the individual;

  • Relates to the donation by the individual of any body part of bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance;

  • Is the individual’s heath number; or,

  • Identifies an individual’s substitute decision maker.

Personal Information (PI):

Personal information includes PHI and any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • age, name, ID numbers, income, ethnic origin, or blood type;

  • opinions, evaluations, comments, social status, or disciplinary actions; and

  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or

services, or change jobs)

Personal information does not include the name, title or business address or business telephone number of an employee of an organization.

PHIPA

The Personal Health Information Protection Act, 2004, S.O. 2004, c.3, Schedule A is Ontario legislation governing OTN’s collection, use and/or disclosure of personal information / personal health information.

Privacy

The right of an individual to control the collection, use and disclosure of his/her Personal Information; freedom from intrusion into the private life or affairs of an individual when that intrusion results from undue or illegal gathering and use of data about that individual. 

Privacy Breach

A privacy breach may take the following forms:

  • The collection, use, and disclosure of personal health information that is not in compliance with the Act or its regulation;

  • A contravention of the privacy policies, procedures or practices implemented by a prescribed person;

  • A contravention of agreements involving Personal Information /Personal Health Information including Third Party Service Providers retained by OTN; and

  • Circumstances where personal health information is stolen, lost or subject to unauthorized use of disclosure or where records of personal health information are subject to unauthorized copying modification, or disposal.

Privacy Impact Assessment (PIA)

A PIA is a formal risk management tool used to identify the actual or potential effects that a proposed or existing information system, technology or program may have on individuals’ privacy. A PIA also identifies ways in which privacy risks can be mitigated.

Regulation

Ontario Regulation 329/04 made under PHIPA.

Substitute Decision Maker (SDM)

A substitute decision maker is an individual authorized under section 5 of PHIPA to consent on behalf of a patient to the collection, use or disclosure of personal health information about that patient. As such, all references to a “patient” made in this document are also inclusive of authorized SDMs. 

Threat Risk Assessment (TRA)

A Threat and Risk Assessment is a formal tool to provide senior management of an organization with the necessary information to make decisions on risks, based on a review of the information holdings and systems under assessment.

Use

As Defined in section 2 of PHIPA, “use” means “to handle or deal with personal health information.” The definition of use is distinct from, and should not be confused with, the term “disclose” (see above).