NSMHPCN is responsible for personal information under its control and will designate individual(s) who are accountable for its compliance. The Director of Operations and Communications is the Privacy Officer.
NSMHPCN is responsible for personal information under its control. All staff and volunteers are accountable for following procedures in this policy that are based on the following ten (10) principles:
1. Accountability for Personal Information
2. Purposes for which Personal Information is Collected
3. Consent for Collection, Use and Disclosure of Personal Information
4. Limiting Collection of Personal Information
5. Limiting Use, Disclosure, and Retention of Personal Information
6. Accuracy of Personal Information
7. Safeguards for Personal Information
9. Individual Access to Personal Information
Principle 1: Accountability for Personal Information
NSMHPCN is responsible for personal information under its control and will designate individual(s) who are accountable for its compliance.
Accountability for NSMHPCN’s compliance with the principles rests with the Director of Operations and Communications, even though other individuals within NSMHPCN may be responsible for the day today collection and processing of personal information. In addition, other individuals within NSMHPCN may be delegated to act on behalf of the Director of Operations and Communications.
It will be made known that the Director of Operations and Communications is the Privacy Officer and will be responsible to oversee NSMHPCN’s compliance with the principles.
NSMHPCN is responsible for personal information in its possession or custody, including information thathas been transferred to a third-party for processing. It will use contractual or other means to provide a comparable level of protection while the information is being processed by a third-party.
NSMHPCN will implement policies and practices to give effect to the principles, including:
a) Implementing procedures to protect personal information
b) Establishing procedures to receive and respond to complaints and inquiries;
c) Training staff and communicating to staff information with respect to NSMHPCN policies and practices, and;
d) Developing information to explain its policies and procedures.
Principle 2: Purposes for Which Health Information is collected
NSMHPCN will identify the purposes for which personal information is collected at or before the time the information is collected.
NSMHPCN collects personal information for the purpose of:
a) Direct client/resident care or support;
b) Research, teaching and statistics;
c) Complying with legal regulatory requirements.
Identifying the purposes for which personal information is collected at or before the time of collection allows NSMHPCN to determine the information it needs to collect to fulfill these purposes. The Limiting Collection principle (Clause 4) requires an organization to collect only that information necessary for the purposes that have been identified.
NSMHPCN will specify the identified purposes at or before the time of collection to the individual fromwhom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. The referral, intake or appointment form for example, may give notice of the purpose.
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless the new purpose is required by law, the consent ofthe individual is required before information can be used for that purpose.
Persons collecting personal information will be able to explain to individuals the purposes for which the information is being collected.
Principle 3: Consent for Collection use and Disclosure of Personal Information
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
NOTE: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek the consent. When information is being collected for the detection and prevention of fraud or for law enforcement. Seeking consent may be impossible or inappropriate whenthe individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent.
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, NSMHPCN will seek consent for the use or disclosure of the information atthe time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use, for example, when NSMHPCN wants to use information for a purpose not previously identified.
The principle requires “knowledge and consent”. NSMHPCN will make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
NSMHPCN will not, as a condition of the supply of a service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
The form of the consent sought by NSMHPCN may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, the organization will take into account the sensitivity of the information. Although some information, for example clinical records, and income records, is almost always considered sensitive, any information can be sensitive, depending on the context.
In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual requesting NSMHPCN services will reasonably expect that NSMHPCN, in addition to using an individual’s personal information for service planning, would also contact the referring physician to report results of interventions. In this case, NSMHPCN can assume that the individual’s request for services constitutes consent for specific, related purposes. On the other hand, an individual would not reasonably expect that personal information given NSMHPCN would be given to a company selling healthcare products, unless consent was obtained.
The way in which NSMHPCN seeks consent may vary, depending on the circumstances and the type of information collected. NSMHPCN will generally seek expressed consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive.
Individuals can give consent in many ways. For example:
a) A referral, appointment or admission form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
b) Consent may be given orally when information is collected over the telephone; or
c) Consent may be given at the time that individuals receive service or treatment
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. NSMHPCN will inform the individual the implications of such withdrawal.
Where there is Power of Attorney for Personal Care a copy will be maintained in the chart. Where there is no power of attorney, the following is used to assess the appropriate Substitute Decision Maker for healthcare decisions when the client/resident are not capable to understand the decisions or consequences in that situation. NSMHPCN will be guided by the Consent & Capacity Policy and Procedures
Clients or substitute decision makers can make a request for a consent directive. While PHIPA permits clients to make verbal consent directive requests, NSMHPCN will make every reasonable effort to obtain the clients written instructions. These written instructions will be maintained in the clients chart and the Privacy Officer will be notified of the consent directive.
Where a consent directive request has been made, the clients will be informed of factors impacting such a request that include: the consent directive only applies to PHI the clients have already provided, and not toPHI which the clients might provide in the future; PHIPA permits certain collections, uses and disclosures of the PHI, despite the consent directive; healthcare providers may override the consent directive in certain circumstances such as emergencies; and the consent directive may result in delays in receiving health care, reduced quality of care due to a healthcare provider’s lacking complete information. In such circumstances, where the consent directive is overridden, the Director of Operations and Communications and the clients / SDM will be notified.
When a consent directive is established, the clients record will be locked and accessed only by individuals that have been granted such access by the clients or SDM. A duplicate clients record will be created with the historical record deleted from that point moving forward. The Director of Operations and Communications will be notified that a consent directive request has been made and a copy of the signed consent will be provided to the Director of Operations and Communications.
Whenever PHI is shared which is subject to a consent directive, the recipient is notified that the record is missing certain information which is subject to a consent directive.
Principle 4: Limiting Collection of Personal Information
NSMHPCN will limit the collection of personal information to that which is necessary for the purposes identified. Information will be collected by fair and lawful means
NSMHPCN will not collect personal information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfill the purposes identified.
Organizations will specify the type of information collected as part of their information handling policies and practices, in accordance with the Openness principle.
The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
Principle 5: Limiting Use, Disclosure, and Retention of Personal Information
Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. This applies to personal health information in all forms: verbal, written and electronic. Prior to Disclosing PHI based on a request, the identity of theindividual or SDM will be verified through presentation of identification, responses to security information,or formal presentation of documentation that the individual is a SDM.
Personal information will be retained only as long as necessary for the fulfillment of those purposes:
Organizations using personal information for a new purpose will document this purpose
NSMHPCN will implement guidelines and procedures with respect to the retention of personal information (Document Retention Policy). Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made. These retention guidelines for PHI will satisfy the information in PHIPA section 1(2)regarding pending clients access requests, the Limitations Act and the Rules of Civil Procedures regarding lawsuits, and the need to resolve legal/College issues, and any other legislation governing PHI retention periods.
Where a request is made for access to PHI, in the form of a subpoena/summons/warrant, police acting on behalf of a coroner and related contexts following steps will be taken:
a) the agency lawyer will be contacted to obtain input / advice;
b) Depending on what is requested, a meeting would be held with all persons having written in the file being subpoenaed for information;
c) Only the information requested will be provided with all other information being redacted based on the agency
Principle 6: Accuracy of Personal Information
Personal Information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
The extent to which personal information will be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information will be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
NSMHPCN will not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.
Personal information that is used on an ongoing basis, including information that is disclosed to third-parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
Where a request is made to correct a record of PHI, NSMHPCN will respond to the request within 30 days (or up to 60 days upon an extension). When a change is made to the original record, the original record will be maintained.
Wherever there is a disclosure of a Statement of Disagreement (SOD), disclosed by the client /resident or a third party, NSMHPCN will investigate to ensure accuracy and correct as required. All staff having access to the record will be informed of the changes.
Principle 7: Safeguards for Personal Information
Personal Information will be protected by security safeguards appropriate to the sensitivity of the information in order to reduce the risk of a privacy breach. These safeguards remain in place and will continue to apply even after employment/affiliation terminates. A privacy breach is said to have occurred when there is unauthorized access to, or collection, use, or disclosure of, personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as PIPEDA, or similar provincial privacy legislation.
The security safeguards will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. NSMHPCN will protect personal information regardless of the format in which it is held.
The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the methods of storage. More sensitive information will be safeguarded by a higher level of protection.
The methods of protection will include:
a) Physical measures, for example, locked filing cabinets and restricted access to offices;
b) Organizational measures; confidentiality agreements; limiting access on a “need to know” basis;
Access to Community and Bereavement files are limited to: Bereavement Services Coordinator, Director of Operations and Communications and Program Coordinator.
Access to Donor files is limited to: Director of Operations and Communications, Administrative Assistant and Communications and Fundraising Coordinator.
c) Technological measures; the use of passwords will not be shared.
For remote (VPN) access, the home or personal computer must have valid antivirus software installed and be up-to-date; the home or personal computer must have profiles for each person that uses the computer and each person/profile must have their own password; the computer must be locked when left unattended so that no one can see any PHI open on the screen; and the computer must be closed out of the VPN connection when finished working.
d) Annual privacy audits will be conducted to ensure information is protected. Process:
In Canada, the disclosure of privacy breaches is voluntary. NSMHPCN will evaluate each incident and determine an appropriate response and whether the Office of the Privacy Commissioner will be notified. Notwithstanding the prior statement, NSMHPCN will conduct an investigation to determine what/how the breach occurred, and to implement actions/processes to address the situation to ensure reasonable actions are taken to mitigate a recurrence. This includes a determination of whether notification to individuals has occurred or been considered.
NSMHPCN will make its employees aware of the importance of maintaining the confidentiality of personal information. Annual privacy training will be provided for all staff, and ongoing privacyawareness reminders and updates will be provided as available.
Care will be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information. See Clause 5.3.
NSMHPCN will monitor and address all inappropriate uses of personal health information. In the event of any misuse of personal health information the Progressive Discipline Policy will be enforced.
NSMHPCN has an established procedure wherein all service agreements with consultants, IT, Physicians, legal counsel, suppliers or contractors who may have access to PHI, have a signed privacy and confidentially agreement prior to having any such access.
Information will remain protected and privacy responsibilities will continue to apply even after employment/affiliation with the organization terminates.
NSMHPCN will make readily available to the individuals specific information about its policies and practices relating to the management of personal information.
NSMHPCN will be open about its policies and practices with respect to the management of personalinformation. Individuals will be able to acquire information about its policies and practices without unreasonable effort. This information will be made available in a form that is generally understandable.
The information made available will include:
a) The name or title, and the address, of the person who is accountable for NSMHPCN policiesand practices and to whom complaints or inquiries can be forwarded;
b) The means of gaining access to personal information held by the NSMHPCN;
c) A description of the types of personal information held by the NSMHPCN, including a general account of its use;
d) A copy of any brochures or other information that explain the NSMHPCN’s policies,standards or codes; and
e) What personal information is made available to related organizations, e.g. the funders.
NSMHPCN may make information on its policies and practices available in a variety of
ways. For example, it may choose to make brochures available in high traffic client areas, mail information to its clients, provide online access, or establish a toll free number.
Principle 9: Individual Access to Personal Information
Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal information and will be given access to that completeness of the information and have it amended as appropriate.
Note: In certain situations, NSMHPCN may not be able to provide access to all of the personal information it holds about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial propriety reasons, and information that is subject to solicitor/client or litigation privilege.
Upon request, NSMHPCN will inform an individual whether or not it holds personal information about the individual. It is encouraged to indicate the source of this information. NSMHPCN will allow the individual access to this information. However, it may choose to make sensitive clinical information available through a clinical practitioner. In addition, NSMHPCN will provide an account of the use that has been made, or is being made of this information and an account of the third-parties to which it has been disclosed.
An individual may be required to provide sufficient information to permit NSMHPCN to provide an account of the existence, use, and disclosure of his or her personal information. The information provided will only be used for this purpose
In providing an account of third-parties to which it has disclosed personal information about an individual, NSMHPCN will attempt to be as specific as possible. When it is not possible to provide alist of organizations to which it has actually disclosed information about an individual, NSMHPCN willprovide a list of organizations to which it may have disclosed information about the individual.
NSMHPCN will respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. NSMHPCN will respond to information access requests within 30 days (or up to 60 days upon an extension). The requested information will be provided or made available in a form that is generally understandable. For example, if NSMHPCN uses abbreviations or codes to record information, an explanation will be provided.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, NSMHPCN will amend the information as required. Depending on the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information will be transmitted to third-parties having access to the information in question.
When a challenge is not resolved to the satisfaction of the individual, NSMHPCN will record thesubstance of the unresolved challenge. When appropriate, the existence of the unresolved challenge will be transmitted to third-parties having access to the information in question.
An individual will be able to address a challenge concerning compliance with the ten principles previously outlined to the designated individual or individuals accountable for NSMHPCN’s compliance.
The individual accountable for NSMHPCN compliance is discussed in Clause 1.1.
NSMHPCN will put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information.
The complaint procedures will be easily accessible and simple to use.
NSMHPCN will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures.
NSMHPCN will investigate all complaints. If a complaint is found to be justified, NSMHPCN will take appropriate measures, including, if necessary, amending its policies and practices.