Privacy Practices

Privacy Principles PHIPA is based on Canadian Standards Association (CSA)’s 10 Privacy Principles: Accountability Identifying Purpose Consent Limiting Collection Limiting Use, Disclosure and Retention Accuracy Safeguards Openness Individual Access Challenging Compliance All TSH personnel are required to ensure these privacy principles are adhered to.

Privacy Principles

Consent Implied Consent HICs may imply an individual’s consent to collect and use PHI for providing healthcare. They may also imply consent to disclose PHI to another HIC for the purpose of providing or assisting in the provision of health care to the individual. Expressed Consent In all other circumstances, HICs may only collect, use or disclose PHI with the expressed consent, (i.e., verbal or written consent) of the individual to whom the PHI relates or his/her substitute decision maker.

Capacity to Consent Patients must have the capacity to consent. Consent must be voluntary, knowledgeable, and relate to the information. Substitute decision maker (SDM) may consent on patient’s behalf. As a patient…

Circle of Care A HIC may only assume an individual’s implied consent to collect, use or disclose PHI if all of the following six conditions are satisfied. 1- Must be a health information custodian 2- The PHI must have been received from the individual, his or her substitute decision-maker or another HIC 3-The HIC must have received the PHI for the purpose of providing or assisting in the provision of health care to the individual 4- The purpose of the collection, use or disclosure of PHI by the HIC must be for the provision of health care 5-In the context of disclosure, the disclosure of PHI by the HIC must be to another HIC 6-The HIC that receives the PHI must not be aware that the individual has expressly withheld or withdrawn his or her consent to the collection, use or disclosure

Permitted Disclosure Without Consent When a patient is injured or incapacitated and unable to consent, we may disclose information necessary to permit contact with next of kin, friend, or potential substitute decision maker May disclose to reduce or eliminate significant risk of harm to individual(s); disclosure of only necessary information to appropriate individual/body would override patient objection To comply with subpoena or warrant, or where a statute of Ontario or Canada requires it. Mandatory reporting of gunshot wounds Mandatory reporting of communicable diseases

Ontario Legislation for Our Patients The Health Information Protection Act (HIPA) provides hospitals with direction concerning the collection, use and sharing of personal health information.  It also requires that hospitals provide that information to their patients.  TSH is developing updated notices that outline the following for our patients: We may collect, use and give out your personal health information to others, as reasonably necessary to: Provide you with health care and assistance, both within and outside the hospital Communicate or consult about your health care with your doctor(s) and other health care providers Get payment for your health care and hospital services including from OHIP and private insurance Do health system planning and research Report as required or permitted by law

Ontario Legislation for Our Patients Patients have the right to refuse to allow their personal health information to be shared, even within the circle of care. This is called a Consent Directive Having a detrimental effect on the provision of care, a formal request is required Should patients express a desire to withhold their personal health information from a care provider or group of providers, the process at TSH is to direct the patient to the Release of Information Area within Health Records

Safeguards You are responsible for the PHI you have access to. TSH must employ safeguards to help you protect PHI. Types of Safeguards: Administrative Technical Physical

Administrative Safeguards Administrative safeguards are administrative actions, policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect information. Examples of administrative safeguards include: Personal Health Information Protection Policy Freedom of Information and Protection of Privacy Policy Confidentiality and User Access Agreement Access Control Processes Release of Health Records Processes Audits and Incident Management Processes Staff must adhere to the Privacy and Information Security policies, practices and protocols to uphold the administrative safeguards that have been put in place to protect all confidential information including staff and patient PI/PHI.

Technical Safeguards Technical safeguards means where the technology protects electronic information and controls access to it. Examples of technical safeguards include: Firewalls Encryption Integrity and Authentication Technical Access Controls All PHI data is password protected. Staff with access to PHI must use their own account to access the information.

Physical Safeguards Physical safeguards are physical measures to protect information, buildings, and equipment, from natural and environmental hazards, and unauthorized intrusion. Examples of physical safeguards include: Always wearing your identification badge Be mindful of who is following you into secure areas and if they have permitted access Keeping information in a secure location (e.g. locked cabinet) when unattended Video Surveillance You must ensure that all confidential information, including PI/PHI that you may have access to is safely stored.

Storage and Retention Any PI/PHI in paper hard copy should be: Stored in a secure location (e.g. locked cabinet), and Disposed in confidential waste bin for shredding when no longer required Any PI/PHI stored on a portable media device (e.g. disc, USB key) must be encrypted and then destroyed/sanitized when no longer required All records should be retained in accordance with the Records Retention and Disposal Policy

Privacy Incidents and Breaches A contravention of privacy policies, procedures or practices implemented by TSH, where this contravention does not constitute non-compliance with applicable privacy law Privacy Breach: The collection, use or disclosure of PHI that is not in compliance with Personal Health Information Protection Act (PHIPA) or its regulations The collection, use or disclosure of PI that is not in compliance with the Freedom of Information and Protection of Privacy Act (FIPPA) or its regulations Circumstances where PI/PHI is stolen lost or subject to unauthorized or inappropriate collection, use or disclosure, copying, modification, retention or disposal Privacy incidents/breaches can be intentional or inadvertent. It is everyone’s responsibility to immediately report privacy incidents/breaches to the SAFE electronic indecent reporting system and notify the FOI and Privacy Office. You may be required to assist in containing, investigating and resolving the incident/breach.

Social Media and Networking Social media and networking sites such as Facebook, Twitter, and Linked-In can be beneficial to The Scarborough Hospital in health promotion, community engagement, reputation management and enhanced customer service. However, staff must be cautious of the privacy implications. Staff may not use TSH’s name to open and manage accounts unless authorized to do so. Staff must exercise caution when posting comments relating to work to ensure that the confidentiality of hospital’s information and the privacy of patient and staff information is maintained at all times.

Potential Repercussions Failure to adhere to Privacy legislations, hospital policies, intentional breaches, and failure to report incidents/breaches may result in disciplinary actions including potential job loss. Potential Repercussions for TSH: Fines Loss of trust in the organization by our patients/community Information and Privacy Commissioner of Ontario (IPC) may issue an Order Please review